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Introduction 

Managing and executing governance, risk & compliance in the 
21 century requires many of the same talents as a jazz 
ensemble. However, contemporary organizations try to be 
more like an orchestra. An orchestra is a streamlined machine 
that practices the execution of a well-defined piece of work 
and expels all ambiguity. It doesn’t like continuous - and 
certainly not unforeseen - change. In jazz, like in the real 
world of financial services, there is always room for ambiguity 
and flexibility. It is, in fact, the nutrient for customer- 
centricity, operational excellence and uniqueness. 

In actual practice, organizations in heavily regulated 
industries are, at present, not able to play like an orchestra, 
let alone play like a jazz ensemble. The complexity they are 
dealing with is too overwhelming. They are not able to 
integrate new regulations and frequent changes in regulation 
successfully in their environment. There is no robust and 
resilient alignment between regulation, business motivation, 
operation and evaluation. They are faced with a cacophony of 
sounds of ad hoc trials and advice about what to do. Nothing 
works. It’s time to try something different. 

In this book, we present a GRC value proposition and GRC 
value architecture that marks the difference between the old 
way of supporting knowledge-intensive processes in heavily 
regulated industries and the new way of surviving and being 
successful in a volatile and uncertain future. We also explore 
the supporting technology that is needed to achieve this 
position and the transformational impact of the change 
stakeholders in heavily regulated industries are facing. 

We want to thank Arian Verbeek for his contribution to the 
GRC framework architecture, Willem Dicou for his contribution 
to the governance-as-a-service chapter and, Francesca Vonk- 
Hagethorn for redesigning our illustrations. 


John Coyne, Thei Geurts 
June 20, 2013 


Playing Jazz in the GRC Club 


Page 4 


V 

be informed 


Management summary 

This publication contains two narratives. The narrative in the 
first chapter asks the question “Do you remember when 
compliance was a burden for you?” Instead of futilely 
complaining about everything that makes our life complex and 
troublesome, we start by describing a future situation in 
which this question is fully legitimate. This leads to an 
intriguing perspective of what is needed to become an 
“entrepreneur of meaning” in the GRC space. We describe an 
actionable framework and the underlying principles that allow 
you to break the vicious spiral in which you are caught. The 
result is a GRC intelligence position in which you and your 
engaged workforce are able to face the pace of regulatory 
change, smash bottom-line costs, increase top-line revenue 
and profitability and - most importantly - restore trust. And 
your compliance issues? They will be over, because you are 
compliant by design. 

The narrative is purposely kept very basic, and presents the 
overall view of a GRC framework without going into too much 
detail. For a more in-depth understanding, the readers may go 
to the second narrative in the following chapters and pick the 
topics that are of interest to them. 

In Part II, John Coyne takes this innovative perspective of GRC 
to a broader and deeper level. John provides the signposts for 
organizations to handle regulatory overload, realize real-time 
regulatory oversight, deal with emergent complexity, and 
work together in spontaneous networks. In Part III, we 
describe the concept computing technology that is now on the 
market to enable the described solutions. This innovative 
technology is about to cause a real paradigm shift in the world 
of heavily regulated industries. In Part IV, we focus on a 
practical solution to the multiple islands of similar activities 
taking place in regulated businesses across the globe. 

In the last chapter, the two narratives come together. Part V 
explains why you need to play jazz when addressing the topic 
of transformation, and how to realize the co-existence of the 
old and the new. It also summarizes the business case for 
embarking on the transformational journey. 

Lastly, the appendix contains an anthology of observations and 
points of pain in the GRC space and solutions based on the 
presented vision. 
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A new perspective 


How to notice the 
difference 


Vicious compliance 
spiral 


Part I: 

Do you remember when compliance 
was a burden? 


Introduction 

There is a wonderful construct in solution-focused therapy 
called “future perfect”. In a business environment, we often 
refer to it as “the dot on the horizon” or the “to-be” 
situation. Its main function is to take a step back and look at 
your situation from a higher, analytical and objective 
perspective. This is inherently connected to achieving a 
deeper understanding of the real causes of your current 
problems. It enables you to develop a transition path to the 
new future. If we take that approach and apply it to the 
governance, risk & compliance (GRC) domain, something 
interesting happens: a new perspective on GRC emerges. 

So we should not complain about the gap between strategy 
and execution, non-authorized decisions or backward-mirror- 
oriented checks and controls. At this stage, we should also not 
elaborate on regulatory complexity, managing credit, 
knowledge, legal and other risks, the increasing cost of 
compliance or how to address integrity issues, but focus on 
the “future perfect” of your GRC environment. Then we might 
have another kind of conversation. 

Suppose you were a C-level representative of a highly 
regulated industry, e.g. of a financial institution, and I were 
to ask you, “What would happen if you awoke tomorrow and 
all your compliance problems had vanished? How would you 
notice the difference?” What would your answer be? 


Break the vicious spiral 

You would understandably perhaps need to make up your mind 
first, and probably buy some time with remarks like, “An 
intriguing question. We indeed mostly focus on all the 
elements that are holding us back.” 

You might continue with, “We are stuck in a vicious 
compliance spiral. I will try to answer your question and 
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Understanding decisions 


explain how we broke that spiral. But before I answer, allow 
me to explain what I mean by governance, risk & compliance 
and how I position my compliance issues.” 


Figure 1: The vicious spiral 



C 

o 

(J 


Source: based on the Crozier bureaucracy spiral 

Then you would probably say, “There is an OCEG definition 
that reads as follows: GRC is ‘the capability to reliably achieve 
objectives (governance & performance) while addressing 
uncertainty (risk management) and acting with integrity 
(compliance).’” 

You might continue by stating, “For me, there is an important 
strategic component in GRC, dealing with business objectives 
and performance, balancing investments according to our 
desired direction and desired results, setting decision rights 
and resulting policies.” You refer to leading analysts who 
claim that understanding and articulating which decisions 
must be made, by whom, how and when, and ensuring that 
policies are aligned with legal requirements and business 
objectives, are all key parts of the decision-making aspect of 
governance (Short & Caldwell, 2012). 

“However,” you say, “GRC also involves setting risk tolerances 
for external and internal risks and being capable of dealing in 
time with unexpected events. This requires that processes and 
procedures be in accordance with policies and within the 
tolerances to support decisions. That covers the risk 
management aspect. Finally, the compliance and assurance 
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A systemic perspective 


It all boils down to trust 


Knowledge-based trust 


aspect of GRC is about establishing measures to monitor 
adherence to policies and decisions.” 

“So,” you conclude, “solving compliance problems is not an 
isolated issue, but a systemic one. It is only possible if I take 
the whole GRC ecosystem into account.” I would probably nod 
affirmatively and then continue with my question. “Fine, and 
what would happen if you awoke tomorrow and all your 
compliance problems had vanished? How would you notice the 
difference?” 


Trust drives your “future perfect” 

“Okay,” you say. “I would almost certainly see a flourishing 
profitable business, with a strong performance, solid growth, 
great elasticity, engaged employees, and we would all enjoy 
our work. But do you want to know how exactly I would notice 
the change that took place?” 

“My answer is that, in my ‘future perfect,’ I would notice that 
we had restored the confidence of society and the government 
that we have lost in this present crisis of values. In the end, it 
all boils down to trust, doesn’t it? Ultimately, our profitability 
depends on it.” 

“Yes. That makes sense,” would be my reaction. My next 
question would then be: “So how would you notice that trust 
had been restored, and how would you be able to foster and 
maintain that trust?” 

You would probably give two examples. “First, the 
government has reduced our regulatory burden in the sense 
that we are certified to act in a higher division of trust,” you 
tell me. “Initially, we were forced to act like we were under a 
contract. Many checks, controls and reports were required and 
we had a lot to explain and prove. Now we have reached a 
knowledge-based trust level (Kramer & Tyler, 1996) in which 
our organization and our contracted partners are proven 
compliant.” 

“Regulatory agencies audit and have approved the way we 
organize our GRC processes. They have real-time access to our 
knowledge base, in which we maintain the life cycle of 
regulations, risk tolerances, policies and controls.” You smile 
and add, “Naturally, they do not see the organizational 
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strategy, goals, objectives and internal metrics that v/e have 
seamlessly connected to these rules.” 


Figure 2: The trust growth path facing regulators 



Stable Stable Stable Regulator 

calculus-based knowledge-based Identlflcatlon-based 

trust trust trust 


Source: Kramer & Tyler. Trust in Organisations, 1996 


Real-time oversight “On the other hand, regulatory agencies may have real-time 

oversight of the way we have executed controls in our 
transactions, using the shielded access and standard reporting 
and notification features we provide. In more and more cases, 
we even have an open invitation to act at the highest level of 
trust. We are partnering in defining new regulations, shaping 
the way that fits our industry and discussing the results of our 
impact assessments before government decisions become 
active.” 

You are a regulator Secondly, you provide me with an example that clarifies how 
yourself you are now able to maintain that trust in a highly cost- 
effective way. You tell me that at some point in time you 
realized that you are, in essence, a regulator yourself. “The 
same level of trust that is expected from me externally, and is 
enforced upon me, has to exist between me and my board, 
our business units and the partners in our network.” 

“That has led to some important choices,” you tell me. “We 
have devised a structure that ‘connects all the dots’ and 
enables end-to-end governance and transparency. So we have 
connected regulatory alignment, risk alignment and business 
alignment in one coherent and consistent approach. We have 
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Find the sweet spot 


Meaning is more than 
rules 


Meaning drives your 
business operating 
system 


closed the loop from strategy to execution, from proof to 
improvement, and turned it into a continuous loop.” 

You explain to me that this was enabled by focusing on the 
core of the governance, risk fit compliance process and finding 
the sweet spot. You have realized that you have to increase 
the meaning quotient of work (Cranston & Keller, January 
2013). So you have become what Gary Hamel calls an 
“entrepreneur of meaning” (Hamel, February 2009). 


Entrepreneur of meaning 

You have found that three simple words are crucial: meaning, 
decision and context. “Meaning,” you say, “is about the 
meaning of regulatory, policy and business requirements. It 
tells me ‘what’ I have to do ‘how,’ ‘why’ and ‘when’ in a 
specific situation. So, meaning is directly connected to the 
context of the situation at hand. Therefore ‘meaning’ is more 
than simple rules.” Decisions play a vital part in your end-to- 
end process from strategizing to execution and from 
monitoring to improving. You and your employees take 
decisions on a daily basis about aspects like a credit 
application, risk assessments, deal or no deal, based on the 
meaning of requirements in a specific context of a specific 
case. 

In your “future perfect,” you tell me, you have established an 
actionable framework in which the meaning of requirements is 
extracted in human and machine-readable form and stored as 
your source of truth. This source provides the fuel that drives 
your entire business operating system. It is directly infused 
into your operations and executes preventive controls to 
shield you from risks. It enables you to take automated 
decisions and provide decision support when and where 
needed. This shortens your cycle time and reduces the 
workload considerably. This source of truth enabled you to 
achieve the knowledge-based level of trust you enjoy from 
your regulatory authorities. 

You are keen to emphasize that you are talking about a 
conditional source of truth. It is an intelligence source that 
tells you what is true within a certain context that is specified 
in regulatory and policy documents. This regulatory and policy 
intelligence source feeds the decision process based on 
preconditions, and always in line with the objectives you have 
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Eliminate traditional 
workflow 


The exception is the 
rule 


Become truly customer¬ 
centric 


Compliant by design 


Actionable framework 


defined. The preconditions determine what kind of 
information is needed and which activities are allowed or 
required by whom at that moment in the process. Each new 
piece of information leads to an automatic assessment of what 
is now needed and allowed. 

By handling decisions this way, you have eliminated the 
traditional vision of workflow and processes, including all their 
limitations. Instead of designing consolidated flows that are 
believed to address the constraints of all parties involved, you 
have captured the individual constraints of all stakeholders, 
and the business processes meeting these constraints are 
automatically inferred. The result is flexible business 
processes that allow experts to shape their own work based on 
their experience and seamlessly adapt to the dynamic network 
they are performed in. (Grondelle & Rensen, 2013) 

Since all decisions are based on the meaning of requirements 
in the context of every case, you are able to treat every case 
as unique. There are no exceptions anymore, because you 
have made the exception the rule. 

On this basis, you were able to establish an advanced degree 
of self-service functionality. It turned out to be the missing 
stepping stone for your organization to become truly 
customer-centric. 

Since your framework records the decision data with a trace 
to the requirements on which they are based, you can always 
prove that you are compliant. You are “compliant by design”. 
This enables real-time monitoring and instant and 
consolidated reporting. It removes the burden of e-discovery 
in litigation cases and frees up time to focus on assessments 
for continuous improvement. 

Looking at my face, you see that is hard for me to understand 
what you mean, so you draw me an image of the framework 
that you envision in your “future perfect”. 

The image shows the process of reacting to external 
regulations by distilling the requirements, executing impact 
assessments, creating implementation scenarios, defining or 
mapping the new requirements to your strategy and 
objectives, deciding on the acceptable risk tolerance and 
“translating” the result into policies, controls, reports and 
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performance metrics. You even mention alerts and training as 
elements that can be defined in your framev/ork. 


Figure 3: Your actionable governance, risk St compliance 
framework 


Regulations 


Core process 



Source; Be Informed, Thei Geurts, 2013 
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Regulatory challenges 

Coping with regulatory challenges. Lifecycle management of regulations, objectives, risks, 
policies & controls. According to all standard and propriety frameworks (e.g. risk, legal, 
business, compliance), including 3 "^ party oversight. 

Semantic model 

Meaning based transposition of requirements, rights, obligations and constraints in a 
coherent and resilient model, enabling comprehensive & instant changes. Time-sensitive 
rules. 

Definition 

Executable output manifestations of the model based on one version of the truth. 
Supported by e.g. dynamic forms, wizards, checklists, workplace and services. 

Up to date documentation. 

Preventive controls 

Infusion of GRC-intelligence in the core process. Execution of prescriptive and 
preventive controls. Automated decisions. Dynamic activity plan and unified case view. 
Situation and role aware collaboration and actions, based on preconditions. Case records 
and audit trail. 

Review St Evaluate 

Dynamic activity plan for monitoring, auditing, reporting. Comprehensive overview with 
link to regulations and policies on which decisions are based. Data integration, merging, 
access and retrieval. Notifications, dashboards, instant and consolidated reporting from 
multiple perspectives. Feedback and continuous improvement. 


Publish ft Share 

Publishing and providing access to data and reports. Enabling real time oversight for all 
^take holders. Proof of ethic behavior, enhancing public trust. 


Then you draw my attention to what you call “the semantic 
sweet spot” of your framework. 
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Source of truth in a 
model 


Preventive executable 
compliance controls 


Dynamic activity plan 


Managing meaning 


The semantic sweet spot 

The semantic sweet spot contains your source of truth, in 
which all requirements are transposed into a man-and- 
machine-readable semantic model. “Semantic means 
meaning,” you explain to me. “It is not only our sweet spot, 
because it contains all the meaning, rules and conditions, but 
also because it has an embedded ability to ‘transform’ itself 
as a portal, a knowledge base, a wizard or as a service. It is 
directly executable in many forms. It is the catalyst of all our 
operations - the core differentiator that makes the ‘future 
perfect’ feasible,” you tell me. 

Figure 4: Managing meaning 
Semantic 
Sweet Spot 

ReguUtions 

Core process 



Source: Be Informed, Thei Geurts, 2013 


Based on that sweet spot, you are able to infuse compliance 
rules into your process and execute preventive controls. You 
use automated decisions and decisions that are guided to a 
specialist based on the case and rules at hand. All your 
knowledge workers work together across their silos. 

They are supported by a dynamic activity plan that helps them 
to plan and perform their job within the guidelines and 
boundaries of your risk policy and procedures. All activities 
and decisions are recorded and can be used for monitoring and 
reporting. You can publish reports, provide access to your 
knowledge base, as you mentioned before, and share data and 
findings across the enterprise. 

You tell me that this approach has changed the mindset of 
your organization. “We are now more focused on managing 
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Risk-aware culture 


Become more profitable 


Sustainability 


Regulatory change in 
one day 


meaning, improving our performance and exploiting the 
possibilities that regulations offer. We now regard a regulatory 
change more as a business opportunity than as a threat.” 

Finally, you draw my attention to the behavioral aspect. “In 
the past, we had huge difficulties in terms of how to establish 
a risk-aware culture enterprise-wide,” you told me. “In my 
‘future perfect,’ it is always clear to everyone what they have 
to do and why. Tolerances are embedded in the decision 
process, and preventive controls reduce the temptation and 
even the possibility to diverge from our principles and 
policies. This reduces the risk of fraud and other prohibited 
forms of conduct.” 


Augmenting your GRC intelligence position 

“If I try to grasp that picture of your ‘future perfect,’ it is 
evident to me that you have created a GRC intelligence 
position that offers extreme value. Since you have established 
a smart method of decision control, you must have eliminated 
all, or at least a large proportion of, your main cost drivers. 
You have probably also freed up capital because you can act 
reliably with lower risk thresholds. This means that you must 
have become more profitable.” 

“That is absolutely the case,” is your answer. “We were, for 
example, able to move a large portion of our assets from tier 
3 to tier 2 and from tier 2 to tier 1 and also cut our claim 
costs considerably. If accountancy or other intermediary 
organizations provide us with GRC as a service, we can simply 
infuse their regulatory intelligence into our process and 
become even more efficient. We have already thought about 
decision measurement and decision pricing as a new pricing 
mechanism.” 

“How about sustainability?”, I am tempted to ask. “How, for 
example, do you deal with regulatory change?” I can imagine 
that that question may make you smile. “Regulatory change is 
not an issue anymore,” you tell me. “We only have to change 
a regulatory requirement once and in one place to make it 
executable throughout the whole process. That is a 
consequence of establishing one version of the truth. 

“We can process a regulatory or policy change in a few days, 
and in hours, if needed, instead of months. Since we are able 
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Support multiple 
frameworks 


Enterprise-wide risk 
management 


to apply regulatory and policy requirements to all products, 
we can detect upfront potential overlap and conflicting 
requirements. Last but not least,” you add, “the cost of 
change has decreased dramatically.” 

You even draw my attention to the fact that your approach is 
able to support all legal frameworks, like Basel III and Dodd- 
Frank, and support all standard and propriety risk and control 
frameworks, not only in financial services, but also in other 
matters and domains, like safety, environment and health. 

“So it doesn’t matter if new regulations will be issued; we can 
handle them,” you say. “We can provide the same level of 
trust to our regulatory agencies and apply the same approach 
enterprise-wide. We even use the same approach for 
managing our third-party contracts to cover our whole supply 
and demand chain. 

Figure 5: Support for multiple frameworks _ 



Duty of care 


FNRA 


Basel 


Qualified transctor 


Asset performance 


Source; Be Informed, Thei Geurts, 2013 


“In essence, we have created a resilient system that is 
adaptive and agile at the same time, as well as highly 
actionable, collaborative and inherently transparent. It also 
provides all the dashboards we need, allowing the board and 
myself to execute our governance role and focus on the things 
that really matter for our business continuity. In addition, our 
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Predictable IT 


Engaged workforce 


risk manager finally has realized his vision of an enterprise¬ 
wide risk management system for all risk types, and is thus 
well equipped to deal with uncertainties. As a result, my legal 
and compliance officers can focus more on their advisory 
tasks, and internal audit can audit in real time instead of 
retrospectively and recommend remediation. External 
auditors and supervisors receive a full service, which reduces 
the burden on my operations and makes expenses negotiable.” 

“That’s quite impressive,” I reply. “How about your IT 
department? I noticed that you didn’t mention them.” “They 
are enthusiastic, too,” you respond. “Naturally, they were 
skeptical in the beginning and wanted proof. They are focused 
on remaining predictable, but also eager to support the 
business. Extracting meaning, context and decision-based 
elements from the code made this much easier for them. Now 
we have separate release cycles for regulatory, policy and IT- 
related changes.” 

My next question could be, “What about your employees 
below the management level? How did you facilitate their 
buy-in?” “That all relates to the trust-factor,” you answer. 

“We have managed to transform the vicious spiral into a 
virtuous spiral. Since we focus on the meaning, context and 
decisions, they have more autonomy to collaborate and decide 
within the constraints that are set for their role and 
competence level. The level of engagement is astonishing. 

Figure 6: The virtuous spiral 



More engagement 


Source; Be Informed, Thei Geurts, 2013 


Playing Jazz in the GRC Club 


Page 16 




V' 

be informed 


Collaboration 


T ransformation 


Doing it the organic way 


Business technology 


“As I said, the whole process is supported by a workplace and 
a dynamic activity plan that guides the execution of 
mandatory and optional tasks across all divisions and 
departments. This applies to all activities, like policy-making, 
impact assessment, defining controls, executing controls, 
monitoring, reporting, auditing, recommending or 
remediating. It is a layer above the organization that connects 
all activities without affecting the systems and responsibilities 
that are already in place. It offers freedom and control at the 
same time. We have broken the vicious spiral and have 
transformed it into a virtuous spiral.” 

Thinking about the impact of such a revolutionary approach, I 
wonder how you have transformed your organization to 
achieve that future position. Your answer would probably be, 
“How do you eat an elephant? Slice by slice. Once you have 
created your vision, the transformation starts. You have to 
follow an evolutionary approach to realize the business case of 
the whole process and the business cases of every part of it. 
Start with a solid foundation and expand from there in an 
incremental way. Lower your GRC burden in a controlled way 
that fits the maturity and capabilities of your organization.” 

Looking for a metaphor, you say, “Do it in an organic way, as 
if your organization is a living body. Grow step by step, 
explore with an open mind, accept small pains to achieve big 
gains and foster your self-healing capability. In other words, if 
events hurt you despite all precautions, be prepared and able 
to remediate and continuously improve. Utilize instruments 
and technology that inherently strengthen your organic 
capabilities. Don’t try to model the whole world, but focus on 
the essential. The less optimal solution often delivers the best 
cost-benefit ratio. Never forget that managing meaning is 
essentially managing the heartbeat of your organization.” 

That is your advice. 


What is holding you back? 

I wonder what is preventing you from realizing that “future 
perfect,” and you tell me that it is the lack of an enabling 
technology. You are fully aware that “business as usual” is no 
longer possible, since continuous change and uncertainty 
prevail. However, you are still looking for a technology that is 
non-invasive, that supports your process end to end, and is 
dedicated to business-centricity. 
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Face the pace of change 


Reporting 


Maintain risk-adjusted 
profitability 


Knowledge and experience should, in your opinion, be 
separated from the fundamental infrastructure required for 
processing, because they change more rapidly. Knowledge, 
know-how, expertise, best practices... “Call them what you 
like,” you say, are, in your opinion, fundamentals that need 
to be managed via an actionable framework by the business 
itself. 

Currently, though, you are still impaired by a situation in 
which your process execution knowledge is hidden in 
computer code or lives in isolation in user guides and 
spreadsheets. Data authenticity and integrity are hard to 
maintain, and you cannot stay up to date. 

You even tell me that in New York, the home of some of the 
largest financial institutions in the world, there are some 
14,000 proposed regulations that affect their global 
operations: rules that to a large extent are not (or cannot be) 
implemented across the financial enterprises. This is in full 
violation of not only U.S. regulations, but also global 
regulations such as Basel II & III and international regulations 
of the European Banking Authority. 

You are facing a similar problem. Even worse, the number of 
regulations is increasing, as is the speed of changes. Reporting 
cannot be based on approximation anymore, but must be 
based on detail in order to survive serious scrutiny. Reporting 
also has to meet strict deadlines that are in conflict with the 
data provisioning cycles of your IT systems. Your present 
reporting is mainly based on time-consuming hindsight 
analysis, and you are unable to reduce your reporting latency. 
As a consequence, you are reporting too late to the regulatory 
authority, which leads to further undermining of the level of 
trust, which is already low. 

Your board cannot fulfill its regulatory obligation for 
oversight. Not being compliant may result in high penalties 
and even prosecution, both for them and for you. You are 
struggling to maintain a risk-adjusted profitability. The cost of 
GRC implementation is high, and does not directly contribute 
to the primary business in terms of revenues and profit. 

Overall business performance is going down, which is why you 
want to tackle your compliance issues from a systemic 
perspective. 
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The 7P model You are showing me your 7P model, and explain to me that 
the essence of GRC can be expressed in seven concepts, 
starting with the letter P. 

Figure 7: The 7P model of governance, risk St compliance 



Source: Be Informed, Thei Geurts, 2013 


“The two open connectors symbolize the current fragile 
transfer and connection points between the preceding and 
next concept,” you explain to me. 

Then you create a list of the concerns that belong to every 
concept in the model. The list now offers a condensed - non- 
exhaustive - list of the concerns you are dealing with. 
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Figure 8: Your 7P model concerns 
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How to reinstall confidence? 

Society and Government lack trust and keep issuing regulations to force the exercise of 
prudence and enforce Uansparency. _ 


How to get help to cope with the flood of new regulations & expectations? 
Provisioning services from external bodies and providers are fragmented and lack 
Structural, syntactic and semantic interoperability. How to control cost? 


How to address continuous regulatory pressure? 

How to assess risk and impact of new regulations and changed conditions? 

How to align business objectives & performance within the defined risk tolerance 
constraints? 

How to manage strategic and operational risk, promote ethical behavior and prevent 
fraud and other misconduct? 

How to develop, align, distribute, communicate and maintain directives, policies, 
procedures and controls and their lifecycle? 

How to provide meaningful insight from multiple perspectives? 

How to manage and impose contractual mandates? 


How to implement risk profiles with procedures, preventive and repressive controls in the 
business? How to keep them up to date? How to plan controls? 

How to align, execute and enforce controls across many products, systems and business 
lines? How to get a 350-degree view of the client case context? 

How to make risk-tolerance-aware decisions based on preventive controls? 

How to automate decisions? 

How to monitor and synchronize collaboration? How to treat every case fair? 


How to record, secure and access data? Transaction and interactions (arti)facts in many 
places, not linked to policy and controls. 

How to monitor, control and assure compliance? 

How to move from sample based backward to continuous forward control? 

How to report in time from multiple perspectives, internal and external? 

How to collaborate with different parties and roles? 

How to provide liability and litigation proof from a dispersed landscape? 

How to identify and detect internal risk? 

How to mitigate risk? 

How to prevent that the business operating system slows down and the business is 
underperforming? 

How to prevent that working capital is not available due to high risk reserves? 

How to concur technologic limitations and growing complexity? 

How to apply technology to optimize gradually and assure return on investment? 

How to remain profitable and seize opportunities? Business as usual is cancelled; new 
market risks appear overnight and come from everywhere. 

How to cope with change dynamics? 

How to create trust from the regulatory authorities and prevent reputation damage? 


Source; Be Informed, Thei Geurts, 2013 


Our conversation unsurprisingly ends with a sigh that you 
really are looking forward to the moment when you can 
relieve the GRC burden and finally engage in a 
transformational journey to your “future perfect”. 

You currently feel like a circus acrobat, balancing on a rope 
above the Grand Canyon without a safety harness or net. Your 
main concern is not falling down, instead of going forward and 
enchanting the public with your capabilities. 

For this reason, in the subsequent chapters we will discuss 
with John Coyne what is required to make the “future 
perfect” of our conversation partner come true. 
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Part II: 

How to enhance regulatory 
capabilities and oversight 


Introduction 

My second conversation partner is John Coyne. John directs 
worldwide financial markets and business innovations. He is a 
leading technologist, software executive, inventor, industry 
analyst, and developer of transformative business innovations. 
John is a published inventor with multiple patents issued and 
pending in advanced technology, devices, systems, and 
methods in high technology, financial services, media and 
defense industries. He has developed innovations that have 
transformed assets and business performance. John led the 
Financial Services Genome project that articulated the first 
comprehensive model of modern financial services. 

I knew that John had some interesting literature on real-time 
regulatory oversight, regulatory management and governance 
as a service, but not published it. This led me to contact him 
and agree to co-author this book. 

Deep-dive dialogue We agreed to use the vision paper of the “future perfect” as a 

starting point. Based on this admittedly generic vision, John 
offered to go into more detail about aspects that are largely 
underexposed in the “standard” GRC literature - aspects we 
judged to be relevant for a deeper and broader 
understanding. We agreed that we would hold a series of 
interviews to elaborate the most important aspects. We also 
agreed that we would maintain the dialogue style from the 
vision paper for the chapters to come. 

John proposed that we start with some non-IT-related aspects, 
since he expected that not every reader would be interested 
in the IT angle. So we decided to start with aspects related to 
regulatory oversight and regulatory capability. 
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I met John for the first interview in Palm Beach during the 
spring break. It was one of those rare days on which rain and 
clouds obscured the Florida sky. It was the perfect weather 
for an in-depth interview. 

“Hi, John. Thank you for taking the time to share your 
opinions with us. Before we dive into the aspect of regulatory 
oversight, may I ask you which three aspects of the ‘future 
perfect’ vision appealed most to you?” 

John smiled mildly and said, “Thank you for asking me, Thei. I 
must say that it was a pleasure reading that vision paper. The 
first aspect I would like to mention here is the concept of a 
GRC framework of frameworks. That is highly relevant, since 
heavily regulated industries are almost always subject to 
multiple frameworks and regulatory regimes. By the way, it is 
also highly relevant that your GRC framework is based on 
semantic technology. The second aspect is the notion of 
actionable controls; in my opinion, controls that are executed 
in operations before a decision has been taken are the only 
real line of defense. The third aspect I very much like is the 
systemic view. Many of the problems regulated industries are 
struggling with are based on solving ad hoc problems with ad 
hoc solutions in an isolated way. Only if you take a systemic 
view, will you discover the sweet spots that really make the 
difference.” 

As the rain began to pour even harder, we moved on to the 
subject of regulatory overload. 


Regulations are growing faster than most GDPs 

First of all, I asked John whether he could give some details 
on the volume of compliance regulations and their impact. 
This turned out to be an easy assist, and John immediately 
provided some details. 

“Today, the regulatory environment is growing faster than the 
economy,” he said. “New rules are affecting regulated 
industries and businesses soon to be regulated. The rate of 
increase in regulatory compliance rules exceeds the capability 
of businesses to integrate them into their environment, 
leaving them and their management vulnerable to fines, 
censure or worse. Examples include JP Morgan, Goldman 
Sachs, Barclays and HSBC, all of which have been subject to 
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Regulatory tsunami 


The U.S. leads the trend 


fines, hearings, loss of reputation, loss of faith and, as fallout, 
loss of market capitalization affecting all of their 
stakeholders.” 

John mentioned, like my previous conversation partner, that 
v/orldv/ide the trend has led to over 14,000 nev/ proposed and 
enacted rules in regulated industries. There are 60 nev/ 
announcements per day on regulatory change. John presented 
me a chart. The chart shov/s the trend from 2010 to 2011. 


Figure 9: 14,000 proposed and newly enacted rules 


TRACKED REGULATORY ACTIVITY 2010-2011 



Source: Thomson Reuters, 2012 


It is obvious that the U.S. leads the trends, but as the next 
chart demonstrates, Europe and Asia are also following the 
path of increased regulation. 

Figure 10: Increased regulation per region 

ACTIVITY BY REGION 

(over a 24 calendar-month period) 

4% 

■ Australasia 

■ Asia 

■ Middle East 

■ North America 

■ UK/Europe 

Source; Thomson Reuters, 2012 
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John repeated that regulations are growing faster than most 
GDPs. He said, “In fact, in a world of economic decline, it is 
the fastest-growing industry.” 

“Businesses are no longer able to grasp the interdependencies 
between regulations and their relation to the internal policies. 
Especially for international businesses and those that transact 
business internationally, there are competing local 
jurisdictions that may trump, conflict with, or otherwise 
create turmoil with regulations that are in conflict with each 
other. They wonder how to deal with this complexity.” 

John looked at me and concluded, “So you may now 
understand that organizations in heavily regulated industries 
definitely need strong and solid regulatory capability in order 
to cope with the challenge of regulatory overload.” 


Regulatory capability 

At my request, he defined the concept of regulatory capability 
as follows: “Regulatory capability in a broader sense can be 
defined as ‘all competences and activities of the regulated 
company which are affected directly or indirectly by 
regulation’. They cover the motivation, definition, operation 
and evaluation dimension. They range from tracking and 
analyzing the impact of legislation, and designing and 
developing policies and procedures through implementation, 
operationalization, assessment and improvement activities.” 

“In the governance, risk fit compliance domain, some use the 
concept of ‘policy life-cycle management’ to make a 
distinction between government responsibility for regulatory 
life-cycle management (making and maintaining regulations) 
and enterprise responsibility (making and maintaining policies 
for applying regulations). However, you should be aware that 
the policy life cycle, if too narrowly defined, is only a part of 
the whole regulatory life cycle, and therefore of the GRC life 
cycle.” 

This remark reminded me of Newton’s cradle image, 
representing the policy-making system in the public sector 
(Geurts, 2011). It has four stages that are also applicable in 
the GRC space. Even the same processes of scrutiny and 
accountability aspects are applicable. 
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Figure 11: Putting purpose into practice 





Source; Geurts, T. Public Policy-Making - The 21^‘-Century Perspective, 2011 


In Newton’s cradle, almost all the energy from the first ball is 
passed through the chain to the last ball. If the system is not 
in sync, because some balls deviate, the system becomes 
chaotic and the energy evaporates. This effect is almost 
inevitable if collision between multiple systems is not 
detected in advance and taken care of. The challenge is to 
maintain policy momentum in the process of putting purpose 
into practice. That is not possible without policy life-cycle 
management. 

“Regardless of what you call it,” John said, “you should 
therefore be aware that a regulatory capability is needed for 
managing the whole life cycle. It is about more than 
implementing regulatory change or translating regulations into 
controls. It goes beyond policy management, because normally 
management starts after you have defined your goals and 
objectives. The policy phase is preceded by a strategic phase 
in which the business motivation is defined.” 

“Business motivation, operation and evaluation are becoming 
more and more intertwined. This is especially the case if they 
operate in a complex and dynamic environment where they 
may be subject to many volatile regulations. Regulations can 
impact strategy, goals and objectives, and necessitate 
revisions. And by the way,” John added, “the same applies to 
the results of assessments, whether they are carried out ex- 
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ante (before implementation), ad hoc (during operations) or 
ex-post (after the outcome). John Boyd’s OODA loop is fully 
applicable (OODA-Loop).” 

“Then maintenance must be an issue and concern in the 
sector?”, I observed. “Oh, yes,” John responded. 

“Maintenance and life-cycle management are of the utmost 
importance. The costs are gigantic and often not even fully 
known due to organizational, budget and administrative 
fragmentation.” 

John had put his message across clearly. I now understood why 
he wanted to address regulatory aspects related to 
governance, risk & compliance. There was much more to the 
domain than a bystander might assume at first glance. Having 
solid regulatory capability, and thus being able to perform and 
adapt, was clearly a necessity for long-term survival. 

We ended the first interview session and went for a lunch. The 
food was excellent. Not being used to American-sized 
portions, I was unable to finish. The waiter asked me whether 
I would like to take the leftovers home in a bag. I declined, 
but wondered whether the there was some kind of parallel 
with regulations. What if it were possible to give you portion 
of regulations to a third party and consume them tailor-made 
according to your needs and appetite? I decided to discuss this 
with John, but it slipped my mind. 


Real-time regulatory oversight 

It was still raining, but the warm rain didn’t bother us. After a 
short refreshing walk, we resumed the interview. John 
proposed that we would discuss real-time regulatory 
oversight, since this was an important part of an 
organization’s regulatory capability. “Very well,” I said. 

“Could you please define this term and illustrate what it 
means?” 

“Real-time regulatory oversight maps transactional events to 
the external regulatory compliance rules and the internal 
policy decisions with a full reasoning chain to back up the 
decision recommendations or obligations,” was John’s 
definition. 
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I looked at John and asked, “What do you mean exactly? Is it a 
kind of certificate of compliant behavior that documents what 
I have done and the reasons why?” 

“Amongst other things,” John reacted. “But even more 
importantly, real-time regulatory oversight provides the 
signposts and best practices that guide the decision-making 
process, not only alerting the user, but advising and guiding 
the direction of activities, with full reasoning as to why the 
recommendations are being made and - in some situations - 
helping to escalate the decision process within and across 
decision boundaries. 

“For instance, an ambiguous regulation impacting a 
transaction can be referred to the legal policy-maker for 
interpretation and authorization. A risk policy-maker can then 
further corroborate the interpretation of the rule and how it 
applies to the internal policy of the business. This increases 
the fluidity of the business, as opposed to trapping it in a 
framework of restrictive rules.” 

Since John had now also mentioned restrictive rules, I 
wondered whether he was referring to the executable 
preventive controls that my previous conversation partner 
mentioned. 

John reacted with a clear statement: “There is a place for 
both restrictive and prescriptive controls. The fallacy is the 
belief that direct intervention with restriction is the only 
cure.” 

“Imagine a world where you had no choice, where you were 
not allowed to reason about your decisions. Preventative, 
restrictive controls on every aspect of decision-making would 
make life impossible. Of course, there are specific situations 
where prevention is better than cure: passwords, permissions, 
restricted access, need-to-know and many others. But in 
general, even with these preventative controls in place, you 
can reason about their necessity and understand their 
usefulness. In other situations, like restricting your speed 
while driving in a school zone, you use your reasoning, as the 
car does not automatically brake. You understand the need 
and usefulness of such a restriction, and the prescription used 
to guide you is a sign that says ‘reduce your speed’. You make 
the decision, but the consequences of non-compliance can be 
unpleasant.” 
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“For prescriptive rules, such as field descriptions, temporal 
functions, permissions, etc., this can be facilitated by a 
straight-through process using traditional restrictive controls. 
However, for decisions of an ambiguous nature, where 
multiple decision factors may exist, we need to surface the 
decision requirement, the parties involved and, of course, find 
the map to both the internal and external policy regulations 
governing the decision. In this way, management sign off, on, 
or add a comment to a particular set of reasoning that the 
system provides.” 

John explained to me that restrictive and preventative 
controls impact the business at the transactional level. In 
traditional system implementations, they can become an 
obstructive nuisance to the operations of the business and, 
furthermore, be overwhelmed by the sheer number of 
variables in the control process. “This is, in part, due to the 
ambiguity of many of the regulations and the conflicts across 
business boundaries,” he said. 

“And prescriptive controls? What about them?”, I responded. 
John replied, “Prescriptive controls take the entire topic into 
consideration, and if mapped correctly, provide both a 
detailed and broad look at the issue being dealt with, within 
and across multiple roles, relationships, responsibilities and 
boundary conditions. But even more importantly, they allow 
us to look at the ‘systemic view’ of the topic. This means 
viewing the impact of the regulatory issue across multiple 
frameworks important to all of the constituents of the 
decision process: users, managers, departments, divisions, the 
enterprise and its customers, and regulators. 

“Secondly, restrictive controls may prevent otherwise 
‘reasonable’ decision-making processes that need to be 
carried out by management from taking place, especially 
where ambiguity and cross-discipline frameworks are 
impacted. In other words, at the end of the day, the business 
needs to make the decision, not an automated braking 
system.” 

“Okay,” I said. “Let me try to summarize this in my own 
words: real-time regulatory oversight is, on the one hand, 
about actively supporting the actual decision-making process 
by guiding, imposing and enforcing the correct usage of a rule 
or method based on the chosen or imposed constraints. On the 
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other hand, it is also about recording the decisions made and 
the rules they are based on. Is that correct?” John smiled and 
simply answered, “Yes.” 

“Furthermore, there seem to me to be three ways of handling 
controls,” I continued. John looked somewhat surprised at 
that remark, so I proceeded. “The traditional way is the 
descriptive and procedural approach, in which control rules 
are documented in a manual and employees need to be 
trained to use these controls manually. The second approach 
is the restrictive way, which is dominated by repression and 
prevention. Controls are either automatically executed or 
enforced. The third approach is the prescriptive way, more 
like a doctor’s script, in which employees are actively guided 
towards taking certain steps, but with more freedom to 
operate within the set constraints.” 

John agreed, although he felt obliged to repeat that, by 
reasoning through a decision, you can, when making the 
decision, record the rules that you applied, where they map to 
regulatory rules, and the related internal policy. He 
continued: “When audited, the entire reasoning and decision 
map is built into the transaction, so that regulators, lawyers 
and policy-makers can see exactly how the decision was 
made: agreement or disagreement, refinement or elimination 
of rules. The impact helps both the regulator and the 
regulated.” 


Spontaneous networks in the decision process 

It seemed to me that, especially in the prescriptive situations, 
the dynamic of actors and tasks could be enormous. 
Consequently, I assumed that some form of support must be 
needed. I wondered what John’s thoughts were on 
collaboration in a dynamic environment. 

John smiled like he was being asked something he had 
explained before to someone else and was eager to also 
explain to me. “Supporting collaboration in a dynamic 
environment is about supporting spontaneity,” he said. “And, 
as you know, spontaneity is anathema to business process 
flows because it requires the ability to be fully adaptive to a 
situation, especially the unforeseen. When reasoning engines 
are used that separate business requirements from processing 
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flows, spontaneity can be accommodated. This is especially 
important in order to accommodate change and complexity.” 

Accommodating spontaneity in business - that was an 
interesting concept. I asked for some further clarification, 
which John provided with great enthusiasm. 

“The same mechanisms that facilitate real-time regulatory 
oversight also provide the ability to create spontaneous 
collaborative networks. Consider the GRC framework that you 
presented. The semantic sweet spot and decision base in the 
framework can identify not only the decisions required, but 
also who or what needs to participate in the decision and 
when. These ‘spontaneous’ collaborations are both dynamic 
and non-linear. They may also incorporate hybrids of human 
and automated participants. It is the non-linear dynamic 
ability of the architecture you sketched that creates the real 
power to adapt and transform. This is possible because the 
process flow is separate from the process requirements. The 
process requirements set the goals of the compliance system, 
map them to the controls, and then surface them to the 
appropriate participants.” 

John was right. When considering his words, it became clear 
to me that if you can master meaning and context in taking 
decisions, you can also support spontaneity between all of the 
involved participants. 


Benefits for participants in the oversight system 

“Okay, John,” I said. “I think I understand you. Let’s talk now 
about the participants. How would you classify them, and how 
do they benefit from the oversight system?” John took a short 
pause to think and then proceeded with a long monologue. 

“In regulated industries, at the lowest level in the food chain, 
operatives will be entering into some kind of transactional 
framework, whether they are working with a client or 
producing a vital report. Real-time regulatory oversight 
establishes a one-to-one link with their objectives, provides 
best practices, and links all the regulated activities to the 
internal and external oversight controls. 

“Easy decisions are facilitated by the system and provide a 
clearly reasoned audit of all the activities; some 


Playing Jazz in the GRC Club 


Page 30 


V' 

be informed 


Parallel actions become 
possible 


Management can review 
the reasoning behind 
decisions 


Opportunity for business 
advantages 


Cash-flow benefits from 
moving products to 
other baskets 


automatically. This can mean monitoring not only the 
transactions, but also the systems they used, the data, the 
networks and other background compliance functions. Where 
the role, responsibility and relationships are monitored, the 
oversight system provides feedback. When ambiguity is found, 
or when further decisions are needed, they are escalated to 
management across the corporate boundaries. This improves 
control and performance. 

“Furthermore, while one action is being performed and 
awaiting control decisions, other actions by the user may be 
performed without interruption. The system can dynamically 
inform the user of which activities can be performed next, 
which are to come, and which are awaiting decisions. This 
improves workflow performance by an order of magnitude. 

“Management can review decision requirements, make 
recommendations and override decisions made by 
subordinates. The oversight system provides the reasoning 
behind making good decisions, highlights ambiguity, and 
allows for comments and documentation to be included. And 
this is especially important. Many decisions incorporate 
dynamic artifacts: e-mails, forms, spreadsheets and the like. 
Any decision based on these needs to be included and the 
real-time regulatory oversight capability allows them to be 
incorporated at the time and place of the decision. 

“For the C suite, the implications of compliance and 
regulatory controls impact the operations of the business. 
Being confident of compliant behavior is one thing; using it as 
a technical advantage is another.” 

At that moment, I raised my hand and said, “Just a moment. 
Could you please give an example of the use of such an 
advantage?” 

John nodded. “For instance, liquid coverage ratios affect free 
cash flow, the lifeblood of a business. If a compliance system 
can monitor assets, they should be classified and categorized 
with the confidence that they meet regulatory rules regarding 
their true underlying value. Assets that are deemed risky that 
are moved to a less risky category can then provide a lower 
coverage ratio requirement, thus providing the company with 
more free cash flow for investment. 

Typically, risks are divided into baskets: tier 1 containing the 
most favorable assets, tier 2 the less-well-understood assets. 
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and tier 3 containing the highest-risk assets, deemed as such 
because of the unknown variables that affect their value. 
Moving a product or a category of products from one to 
another can effectively transform available cash flow, 
balance-sheet performance and business fluidity. Access to 
changing rules and rapid adaptability to those rules is the key 
to rapid business adaptation. 

“Moreover, management can now perform their activities with 
confidence and, when decisions are made, access the 
reasoning behind them, how they comply with regulatory 
recommendations, or overrule them. This means that every 
transaction carries with it the reasoning behind it: from the 
lowest-level employee to the decisions of the CEO.” 

“And how about regulators?”, I asked. “What are their 
benefits? After all, they are part of the environment as well.” 

John responded. “Regulators can now access data that allows 
them to monitor national systemic risk. If the top-ten 
regulated businesses in any sovereign territory can provide 
near-real-time access to financial risk data, a government can 
anticipate its general sovereign risk and make currency 
adjustments or recommendations. 

“Regulators can actually receive responsive feedback on those 
regulations that are working successfully, and also on those 
that require clarification due to ambiguity. From the input of 
the regulated business, they can also determine their 
interpretations of the ambiguous rules. The response can 
improve overall performance of both parties. 

“This transformation turns regulation patterns away from 
control rules to advice and consent, based on reasoning 
chains. The automated capability allows topical regulations to 
be monitored across frameworks otherwise invisible to the 
regulators, or the business, for that matter. 

“Take, for example, the topic of ‘duty of care’. A sound GRC 
framework is able to deal with models of activity at the 
topical level. A topic may be ‘duty of care’. Duty of care can 
be defined according to the context. In IT, there may be a 
duty to provide the necessary level of data privacy with rules 
for permissions, transport network distribution, journaling and 
other IT-based requirements. In the sale of a product, it may 
be that the seller has made full disclosure of the necessary 
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materials in order for the buyer to make a decision; for the 
risk officer, it may be to assure that risk levels are not 
adversely affected by the transaction. 

“In the above, one can see that the same topic, duty of care, 
is dealt with in different ways by each participant, and each 
has a different frame of reference. In the architecture that I 
advise, each frame is orthogonal in its design and 
implications. In this way, the duty of care is dealt with in 
context. But the rules and regulations are mapped all the way 
through the topic.” 

John ended with a closing remark: “And herein lies the 
difference between dealing with a complicated and complex 
system.” 

This was a perfect moment for ending the first day’s interview 
session. From experience, we both knew that discussions 
about complex and complicated systems can take a long time. 
So we decided to continue the next day and start with this 
theme. 

Since John had some family business to attend to, I went into 
town looking for a restaurant to have dinner at. There was a 
slight drizzle, but that didn’t bother me. I found an Italian 
restaurant, which was very busy. This is usually a good sign, so 
I asked for a table for one. The receptionist showed me to one 
of the few free tables. Soon a waiter came to my table. He 
introduced himself as Vincente and told me that he would be 
my personal waiter for the dinner. That was a good start; you 
seldom find this approach in Europe. Unfortunately, however, 
there would be long intervals between Vincente’s visits to my 
table. For example, when I had finished a course, some 
twenty of his colleagues passed by my table without paying 
notice to me, which was rather annoying. It felt like they 
weren’t interested. As I sat there, I would have liked that 
parallel approach which John mentioned. I thought to myself 
that in customer services a combination of spontaneity and 
personalization would be a better approach to the duty of 
care. 
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The next morning, after a good night’s sleep, I looked up an 
image I created in 2011 about complexity to give me a starting 
point for our discussion. The image presents in the middle the 
three axes of complexity (as introduced by Scharmer) and 
groups of keyv/ords that define the environment of hyper 
complexity in which decisions have to be made. 


Figure 12: Complexity in context 
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I met John at the breakfast table of the hotel. During the 
night, the rain had stopped, but it was still very cloudy. The 
weather forecast for the coastal zone was that it would stay 
this way all day, so it was another perfect day for work. We 
first looked back at the topic of the day before, about 
regulatory capability, real-time regulatory oversight and 
spontaneous networks. 

Real-time regulatory oversight in the way John described it 
yesterday focuses entirely on the transactional level. So I 
proposed that we should today discuss not only the aspect of 
complexity, but also the aspect of impact assessment. After 
all, impact assessment is another important part of the 
regulatory capability of an organization. Besides that, it is 
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directly connected to the “realm” of complexity. It is affected 
by all the three axes and keywords in the “complexity in 
context” image that I briefly discussed with John. 

To prevent a theoretical discussion about complexity, we 
agreed to focus on aspects related to risk-tolerance exposure 
and the modeling of processes and decisions within and 
between frameworks. 

Taking this angle as a starting point, John responded: “I have 
a friend who says, ‘It’s not what you don’t know that will hurt 
you, it’s what you know that isn’t so.’ The difference between 
dealing with complexity and complication is one of the 
unknowable versus the knowable. Typically, in old-school 
systems development, modeling comprises linear processes of 
formal reductionism to model individual elements or 
components of data and process flows with the typical 
decision-junction-switching directions or bridging of ‘swim 
lanes’. 

“As anyone familiar with the process knows, this kind of 
modeling can get very complicated very quickly; especially, 
when one encounters after months of discovery the ‘yeah, 
but’ anomaly to the equation that has been set up. Part of 
this has to do with the inherent non-linearity of actual 
operations in the real world. Our attempts at orderly 
discovery of workflows were easy in the days of predictable 
outcomes in simple models of behavior that would encounter 
simple modifications when simple changes took place. These 
models usually operated in a single framework or context of 
activity: the factory floor, the accounts department, the 
typing pool. 

“The keyword, of course, is ‘simple’. But advances in 
technology, increased transaction speeds, multi-dimensional 
interests and web-scale interactions have made single¬ 
framework models and the concept of business process 
modeling notation (BPMN) tools not only redundant, but 
inappropriate for dealing with complexity. BPMN deals with 
reductionism and the knowable, and is therefore perfectly 
suited to defining complicated processes; in other words, the 
knowable. But it starts with the premise that something is 
knowable. 

“The hubris with which systems are addressed today states 
that ‘If I can know the state between A and B, and then B to C 
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and C to D, then, I can trace A to ...n functions, map them and 
the system can be knowable, definable and hence 
controllable.’ And, usually, these deal with single frameworks 
or contexts of operations. However, like life, business throws 
the occasional curve. And that curve usually comes from a 
framework not previously considered. 

“These curveballs are, for most businesses, equated to the 
unknowable, while the unknowable equates to risk. The 
appetite for risk is usually a factor of ‘known risk,’ but it is 
the unknown risks or ’what you know that isn’t so’ that cause 
the most damage, as can be seen from the systemic collapse 
in the financial institutions that have caused an avalanche of 
unintended consequences resulting not just in financial 
problems, but social upheaval, personal catastrophe, and even 
sovereign collapse.” 


Detecting the unknown 

I recognized the linear approach trap that John mentioned and 
raised the question of which approach helps to detect the 
unknown risk and “what you know that isn’t so”. 

John responded: “After forty or so years of continuous 
research and development in systems design and programming 
tools in the artificial intelligence arena, a level of maturity 
has evolved that facilitates the development of systems that 
deal with complexity. As a result, there are more complex 
(unknowable) than simply complicated systems. One outcome 
has been the separation of the relationship between objects 
and concepts and the flow of activity between and across 
them. 

“The concept is simple: The mortgage (an object) requires (a 
relationship) top credit (another object or concept); there is 
no ‘if, then, else’ statement required. The process of 
determining whether the goal of obtaining a mortgage is to be 
met is dropped into an inference engine that determines the 
goal and the requirements for its achievement. It discovers 
the dynamic activities that go into achieving the goal should 
the ‘top credit’ requirement be met, or stops the activities 
should the goal not be met. 
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“That was simple enough, but it works in the context of the 
seller and buyer. Now add in the complexity of, say, 
regulatory controls and minority rights, and the computer 
systems to support the production of the paperwork. Then add 
the various underwriting and risk models to be addressed and 
the mitigation of the risk by breaking the product (the 
mortgage) up into interest-rate derivatives, and cross-border 
jurisdictions, etc., etc. In this way, a simple transaction 
becomes a complex web of inter-framework activity. And if 
you don’t believe that, try ascertaining who actually owns 
your mortgage.” 


Try something different 

Before I could comment, John continued unperturbed. 

“‘Okay,’ you say. ‘I understand the world is more complicated 
and that change is happening at an exponential rate. But what 
can I do?’ Well, you can start by trying something different for 
a change. You already know that what you are doing does not 
work, so why repeat the same mistakes over and over again?” 

Figure 13: Satisfying topic-based requirements 



Source; Be Informed, John Coyne, 2013 


“Looking at governance, risk & compliance and using the idea 
of simple concept (object)/relationship/concept model, we 
can begin with modeling topics of governance (risk, risk 
appetite, policies) and external regulations (compliance). 
Initially, we can start with topics at a high level. Duty of care 
(Topic A) is a topic that we will focus on for the time being. 
Topic B could be policy and risk tolerance.” 
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John drew the above picture and explained: “In the picture, 
the topics are modeled and contain process requirements and 
data that are needed to satisfy certain arbitrary requirements 
of the regulatory and policy topics.” 

“The regulatory and policy models are designed at a gross 
level. A first pass at interfacing to the sub-systems and data in 
the legacy environment is achieved through a service- 
oriented-architecture (SOA) approach. This is a non-invasive 
and non-destructive method of creating new systems without 
disturbing day-to-day business. These legacy systems may 
include point solutions for anti-money laundering, suspicious 
activity reporting or liquid coverage ratio requirements. The 
point of the model is not to replace them, but to assure that 
they are doing the correct systemic job. 

“Exposure to risks will be uncovered very quickly. In this case, 
topic A has two factors that do not satisfy the goal of the 
regulation. These become knowable, definable and fixable (at 
whatever layer of detail). Topic B has one missing variable. 

But the chain reaction moves the non-compliant nature of the 
problem up to the topic. Now you know that you cannot fully 
satisfy the ‘duty of care’ topic (A) and cannot fully satisfy 
your internal policy. 

“Not satisfying a regulatory requirement with all its 
ramifications (fines, imprisonment, loss of public trust) may 
be more important than, say, not meeting only one trace line 
in your governance policy. Alternatively, they may be related 
(more on this later). But now you know what you have to do. 
As the model increases in complexity, it will expose more 
gaps, but as these gaps emerge, they will, of course, become 
knowable and therefore fixable.” 


Dependencies within multiple frameworks 

John’s explanation made sense. The question, of course, was 
whether this same approach would be viable for dealing with 
multiple frameworks. 

John replied: “That is a legitimate question. Whilst this is a 
powerful start, it is indeed only dealing with that single 
framework we discussed before. Now we will start to deal 
with multiple frameworks.” 
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John drew an image with three frameworks and continued 
with his argumentation. 

Figure 14: Dealing with multiple frameworks 



?■_- * 

Framework 2 


Fremnework 3 


Source; Be Informed, John Coyne, 2013 


“Now we are dealing with just three frameworks. The first is, 
for instance, a buyer/seller relationship in the business front 
end. The second is the internal policy related to, say, the 
product being sold, while the third is the operations and 
technology to support the business. 

“Each framework has been modeled, and the behavior of each 
is well known. The name of the topic is, for instance, 
standardized in a business, data and/or process ontology; in 
our case, topic A, duty of care. Since we are not running a 
process, but just the relationships between (things), we can 
run our models against our inference engine and discover that 
there is a linkage between all three frameworks.” 

At my request, John gave the following example. “In 
framework one, the duty of care may have been to apprise the 
buyer of all the risks related to the product being sold and 
mapped to a regulation dealing with consumer protection 
(which is fully discoverable in the model’s knowledge base). 
The second framework may concern stakeholder protection. In 
this case, the policy decision may be a risk tolerance or risk 
exposure relationship. ‘This is a $30 million mortgage, and it 
has put us over the risk coverage limit we set for the month.’ 
This is mapped to an internal policy, and also mapped to 
regulations regarding the permissible acceptance or denial 
criteria. The third framework is the operations and technology 
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framework, and the duty of care here may be the protection 
and privacy of the data used in the decisions, its transmittal 
and traversal across and between networks. 

“We can now determine something we did not know in the 
past, and may never have known until it was too late. That is 
to say that there is both an interrelatedness and 
interdependency between frameworks that is essential to both 
external and internal compliance. A case in point will 
demonstrate the importance.” 

John provided yet another example of a real-life case. “A few 
years ago, a foreign national came to the U.S. and opened a 
trading account with a securities company at a retail location. 
He met the criteria to open the account, paid in his money, 
set up a relationship with the broker, and made some trades. 
He later went back to his native country and, after some time, 
asked the broker to send him updates on the trades he was 
making and his current positions. (This was obviously pre¬ 
internet.) The broker had the IT department produce and send 
the report. The broker and his company were summarily sued 
over transgressing data privacy rules in the buyer’s native 
country (where, incidentally, the brokers also operated). The 
ensuing litigation ended with a settlement amounting to tens 
of millions of dollars. 

“Today, IT departments, and records managers in particular, 
are very sensitive to the distribution of client records across 
international borders, where retention rules may differ, and 
where certain data is not permitted to traverse certain 
networks that traverse certain geographic boundaries. You can 
now begin to see why systems integrators have such a hard 
time finding the connectivity or integration points in and 
between differing frameworks. 

“As complex as this model is (and I know it looks simple, but 
try doing this the old fashioned way), it is nothing when 
compared to unknown and multiple cross-topic dependencies. 
You can begin to get an idea of the complexity 
(unknowability) situation from the next diagram.” 

John drew an image of two frameworks with a relationship at 
a lower conceptual level. 


Playing Jazz in the GRC Club 


Page 40 


vv 

be informed 


Now mitigation is 
possible 


Enhancing risk 
assessment 


Figure 15: Surfacing the unknown 



Framowork B 


Source: Be Informed, John Coyne, 2013 


“In this example, the model was run through the inference 
mechanism and now something truly unknown has been 
surfaced. It turns out that there is a relationship, and perhaps 
a dependency, between a leaf node of topic A and an obscure 
leaf connection to topic C (it doesn’t matter what that is). 
This dependency or risk factor may be problematic or 
irrelevant to the big picture. Nevertheless, the policy-maker 
(framework 2) is now actually able to make that 
determination, because they know something new that they 
did not know before. It may be an anomaly and an obscure 
link between regulatory rules that were not known before. 

“For example, consider that all the topics up until now had to 
do with a U.S. regulation and topic C was a policy that dealt 
with a European requirement. Perhaps, there is a linkage that 
is meaningful, or perhaps there is a conflict. Whatever the 
case, the matter can now be escalated to a solution by either 
bringing it up with the regulators or with management. But in 
every case, information is power, and the complexity (the 
unknown) levels of risk are mitigated by that very 
knowledge.” 


Mitigation 

I liked this approach to impact assessment. It proved the 
power of a GRC framework, not only for the transaction and 
monitoring phase, but also for the inception phase. It 
expanded the risk tolerance exposure assessment from pure 
economic metrics to regulatory and, probably in the 
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slipstream of that, also social risk components, and allowed 
them to be weighted coherently. 

This was confirmed by John’s next example. “Now, consider a 
completely different approach to dealing with the risk 
elements. As can be seen, you now know the dependencies 
and the relationships between things. Let’s say, that in the 
first picture you know that you cannot meet all the 
requirements of topic A, and the actual elements have been 
exposed. However, satisfying the requirements may cost more 
in terms of IT overhead, management, system and procedural 
change than you have the appetite for. You can now risk- 
adjust your decision to satisfy the demand of the regulation. 

“You can even go back to the regulator (something that may 
not have been possible in the past) and tell them specifically 
what the systems technology impact is for that regulation, and 
also the time and cost required in order to satisfy it. The 
regulator may adjust the compliance requirement, give you 
more time, lessen the burden, or provide an alternative 
solution. The important thing is that you know, and 
complexity becomes simply complicated.” 


Being able to plan and forecast budget 

This was a long interview session in which I barely got a word 
in edgewise. John’s argumentation was in full flow. 
Nevertheless, I gave it a try. 

“John,” I said, “the next stage of this knowing is prediction. 
Not only being able to know in time, but also being able to 
know before in the sense of predicting the emergent and 
possible future. That seems to me to be possible, too.” John 
confirmed that to date, because the models can be exercised 
outside of the current IT infrastructure, you can build models 
that can predict the effects of regulation on your business 
from every perspective: business, operations, technology, 
stakeholder value, etc. 

“In addition,” said John, continuing with a new line of 
argument, “using modeling in this extra-system approach also 
allows you to incorporate governance and regulatory rules of 
engagement in advance of their coming into law. In other 
words, you can look at a regulation, determine its impact in 
and across frameworks and the business, determine how to 
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make changes (well in advance) and, on the day that the 
regulation becomes lav/, allov/ those changes to take effect. 
The game of catch-up will be mitigated. 

“I have probably already said that regulations are growing 
faster than most GDPs, and that, in a world of economic 
decline they are, in fact, the fastest-growing industry. 
However, for international businesses, and those that transact 
business internationally, this means that there are competing 
local jurisdictions that may trump, conflict with or otherwise 
create turmoil with regulations that are in conflict with each 
other. Imagine, therefore, being able to not only model and 
surface these conflicts, but also adjust their risk weighting. 
This allows you to use an axiological approach to the value of 
the regulation, the governance policy and compliance to 
either. Moreover, you can use that valuation to determine 
future budget in making adjustments for the changes that may 
need to be made. This forecasting capability puts the business 
somewhat back in control of an ever-increasing level of 
complexity caused by unforeseen demands from regulators. In 
other words, you can plan.” 

It occurred to me that the advantages that John described 
would appeal to the board and C level. The question was how 
it would appeal to regulators. John promised to answer this 
question after lunch. 

The lunch volume led to the same overload problem as the 
previous day. It seemed to be a continuous issue. 


Regulatory arbitrage 

After lunch, John continued with his explanation as if he had 
never stopped: “For regulators, this is also a valuable tool,” 
claimed John. “Instead of dealing with generalizations like 
‘It’s too hard’ or ‘I don’t have the infrastructure to support 
this,’ regulators can see the direct impact on businesses in 
real terms. They can make adjustments that aid in the 
implementation by perhaps softening, delaying or working 
with the business to come up with regulations (or better- 
defined regulations) that might work. 

“In real terms, regulations come in two flavors: those that are 
definitive and well understood, and the ambiguous and open 
to interpretation. In transactional systems, the models can 


Playing Jazz in the GRC Club 


Page 43 


V' 

be informed 


Multiple jurisdictions 
and regulatory controls 


Opportunity for 
regulatory arbitrage 


How to get there from 
here 


provide oversight for both: on the one hand, determining and 
mapping transactional events to actual rules of conduct, and 
on the other, intervening so that within the transaction, 
policy-makers, lawyers or compliance officers can insert 
interpretations of the rule and either A) allow the transaction 
to proceed, or B) interrupt the transaction until clarity is 
agreed. This is the overall difference between embedded 
controls that are built into transactional systems with 
preventative or repressive measures installed into the flow, 
and the concept of oversight, where transactions are 
interpreted by the rules of engagement and reasoned in terms 
of their appropriateness at the time and in the situation at 
hand by an externally managed control environment. 

“Another reason why the external nature of the controls and 
oversight is important is that, as we have seen, there may be 
multiple jurisdictions and levels of regulatory controls. 
Embedding rules for systems in the U.S. may have unforeseen 
consequences in operating the same system in the UK. But 
more importantly, if custom systems were created for every 
regulatory agency, they would be almost impossible to 
maintain. Externally managed control environments enable 
risk management at the point of risk.” 

John started to smile, saying, “The astute will also note that 
there is an opportunity for risk managers to engage in 
regulatory arbitrage. In other words, transactions that might 
otherwise be onerous or even banned in one location may be 
acceptable in another. The point is not whether this is right or 
wrong from an ethical standpoint; it is whether or not it is 
appropriate for the stakeholders. Business is, after all, usually 
a profit-seeking enterprise. The rights or wrongs can be 
debated only if they are known.” 


Business transformation 

“But reviewing, you can now see that starting with topical 
approaches to regulations allows you to ‘get there from here’. 
By starting at levels you know you can manage, and by 
knowing the previously unknowable dependencies within and 
across frameworks, you can enable planning, responsiveness, 
budget, manpower and systems requirements; basically, the 
main factors in handling high-speed change. 
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“Interdependent frameworks also allow collaboration between 
contexts, roles, relationships and responsibilities. Testing with 
a common inference engine will allow multiple frameworks to 
surface connections not otherwise seen or, for that matter, 
foreseeable. In complex systems, this can reveal sparsely 
connected networks that were not planned, but are exposed 
by the goal-seeking nature of the inference mechanisms. This 
is an important distinction from reductionist methods that 
model specific processes and then interface them into the 
complicated (not complex) system. It means that it is the 
engine - as opposed to the business process analysts - that 
reveals the flow. Such revelations may be a catalyst for 
business transformations that would have otherwise been 
overlooked. 

“But let’s also look at other motivating requirements. 
Compliance, following the rule of law and general ethical 
behavior, is one aspect of regulatory management. But think 
of the modeling as an opportunity to create new business 
opportunities.” 

John came back to his previous example of the cash flow 
opportunities and expanded it further. 

“As an example, the life blood of most businesses is access to 
capital. In many regulated businesses, the available capital is 
determined by the amount of Liquidity Cover Ratio (LCR) that 
is required to cover product risk in the corporate portfolio. 
Many of these products are placed in baskets of risk 
Notwithstanding the complexity of the changes to the names, 
let’s just think of them as: tier 1, tier 2 and tier 3 (to be 
phased out). Tier 1 are pretty well known products with real 
asset values based on a number of determining factors like 
“fair value” and “cost basis but some companies use both 
terms in the same sentence which promotes ambiguity. As 
anyone who has bought a car knows, the cost basis is not the 
fair market value of the car when you drive it off the lot. tier 
2 may be valued at inappropriate rates because although they 
may be exotic derivatives, a liquid market may exist for them 
which makes them really a tier 1 asset and some 70% of these 
assets may be illegitimately characterized with more risk than 
there is, Or, they are valued against some model with a 
matrix of valuation criteria and confidence levels that are 
arcane and complex to describe rationally. Tier 3 is simply 
anybody’s guess as to what the true risk and value is. This has 


Playing Jazz in the GRC Club 


Page 45 


V' 

be informed 


What a difference 5% 
makes 


Sorry for that $6 billion 
loss 


Two-sided leverage 


been termed “mark to myth” in some circles and will comprise 
assets in the tier 2 class going forward. 

“Well if your LCR is aggregated at say 17% of your current 
liquidity then that is the set aside of capital you need to 
meet your net stable funding ratios. But let’s say for instance 
that we can map some of the tier 2 products {possibly70%), 
against actual models of confidence and map those to 
regulatory rules regarding those valuation models and move 
some tier 2 risk to tier 1 and maybe even some tier 3 to tier 2. 
The net effect may be that the LCR can be reduced to say 
12%. Now you have to ask the CEO and CFO what an extra 5% 
of available capital might mean to their operational, 
investment or investor activities. My suspicion is that they 
would thank you very much. Especially, if the models 
expressly (which they would), map to the regulations and 
show the exact reasoning behind the decisions. Now the CEO 
can look the regulators and stakeholders in the eye and say. 
‘This is why I made the decision’. As importantly, the risk 
weighted averages may move on a daily basis depending on 
trading and operations. A dashboard that signals these 
changes would be a valuable tool for (near) real time 
regulatory oversight and capital management. 

“It’s a lot better than explaining to Congress that you don’t 
know what happened to $1 billion in customer deposits. Or 
explaining that you don’t know whether your trading unit lost 
$1 billion or $6billion, with the attendant loss in confidence 
represented by a reduction in market capitalization because 
your stock slumped by 30%. 

“This new form of modeling provides amongst others Real 
Time Regular Oversight that allows better planning, better 
control over the business, flexibility of response to changing 
market conditions and regulatory environments. And it allows 
the business to leverage the current systems and 
infrastructure they now have rather than replace everything 
wholesale”, which some regulators are considering. 

We decided finish the interview for the day and go for a drink 
in the hotel bar across the street. While enjoying a glass of 
wine, we looked back and concluded that we needed to adjust 
our original plan. It seemed obvious to us that our next matter 
for discussion should be the technology that makes the 
described topical approach of regulations and policies 
feasible. Any remaining aspects could be discussed after. 
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John left early to pick up some medicine for his wife and bring 
it to her. His empty seat and the seat next to it were almost 
immediately claimed by a couple in their late fifties. We 
introduced ourselves. The lady in question turned out to be a 
manager of the legal department of an insurance company in 
the Boston area. I could not fail to ask her whether regulatory 
change was a burden for her department and the company. 
This was absolutely the case. Her department could barely 
cope with the impact of regulatory change, she told me. The 
burden of compliance and litigation represented a major 
bottleneck. 

This led me to briefly explain to her the GRC framework 
concept that enabled once-only modeling oftopic-based legal 
and policy requirements and multiple reuse. I also explained 
how this makes controls actionable, enabling them to be 
executed before the transaction takes place, thus creating a 
full reasoning tree of decisions, including the legal sources on 
which the decisions are based. “I didn’t know there was 
technology that could make this possible,” she said. “We 
certainly would benefit from such a technology.” This 
conversation was an extra stimulus to focus on the technology 
aspect in the next interview session. 
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What is the technology base of the 
future? 


Introduction 

That morning, Florida looked totally different. The sun had re- 
emerged and brought with it that vacation atmosphere the 
spring breakers were longing for. Since we were early, John 
and I were able to select a table outside that was far away 
from the pool. There we continued our conversation. 

Based on the dialogue in the first chapter and the response of 
the lady from the insurance company, we concluded that the 
financial sector is being held back by technology that is 
incapable of delivering the functionality that is required in an 
era of dynamic change and uncertainty. This is probably true 
of all the other heavily regulated industries. It raises the 
question of what characteristics a new and innovative 
technology would need in order to make a difference. 

If a company is being asked to invest now in a technology that 
should be of significant value in the future, it would be useful 
to have some idea of what that future will be like. Only then 
can one hope to reasonably assess whether the proposed 
technology investment will offer material advantage and 
reward. So I asked John the following question: “What are 
characteristics of the information systems of the future?” 


Characteristics of the information systems of the 
future 

John took a moment to think before answering as follows: “In 
my opinion, there are a number of characteristics of future 
information systems that are already clear: 

1. A shift from data towards knowledge 

2. An increase in connectedness of people and their 
information-handling tools 

3. A shift from obliging people to adapt to computers to 
enabling computers to adapt to people.” 
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According to John, the buzzwords that currently label or 
describe this shift are “Web 3.0” or “semantic web”. Both are 
internet-oriented technologies, John explained: “The reason 
that these technologies are identified as the relevant 
foundation for the future is that, while the vast majority of 
data is owned and managed by corporations, the vast majority 
of knowledge is being handled by way of the internet, mostly 
in the form of text, but increasingly in other forms.” 


A brief sketch of some salient features of the past 

John continued by saying that, until the advent of the 
internet, software companies had aimed to establish market 
dominance by defining proprietary solutions and attempting to 
make their proprietary schemes de facto standards. 

“Initially, the customers for such software were corporations. 
Increasingly, businesses are operating as aggregates of 
individuals, and are increasingly operating on consumer- 
oriented machines - machines that have the computing power 
of million-dollar machines of a decade and a half ago. Large 
mainframes today, for instance, consist of swinging gates 
loaded with plug-in-card versions of these individual server 
machines.” 

According to John, Microsoft Windows is the paradigm 
instance of the proprietary strategy in action. He said, “As 
brilliant a technology strategist as Bill Gates is, he was taken 
by surprise by the internet and, as he documents in his book, 
his realization of its significance obliged him to turn his 
company on a dime to reposition for the strategic implications 
the internet (cloud computing) created. The internet has 
turned the hair of the Microsoft Corporation prematurely gray; 
that is, has turned Microsoft into a ‘mature corporation,’ 
positioning Google as the upstart and growth darling instead.” 

“You know,” John said, “actions taken by Microsoft as a 
consequence of its market dominance had the practical effect 
of reducing to near-zero the market value of competitor 
software. The internet offered an alternative path to market 
and a different business model for the work products of all the 
software engineers who didn’t work for Microsoft. Ad revenue 
associated with web pages replaced software revenue sales as 
a basic business model. 
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“Today, the army of programmers all over the world working 
to deliver software that works in conjunction with the internet 
dwarfs the resources of any software corporation, even 
Microsoft, Oracle, IBM and HP all put together. Furthermore, 
and even more importantly, the constant improvement of web 
authoring tools has effectively increased the number of 
‘programmers’ working on the internet by many orders of 
magnitude beyond the number of people with the job 
classification of ‘programmer’. 

“While software that is not internet-oriented will continue to 
be sold to corporations and individuals for years to come, 
those software packages will continue to evolve to be 
‘internet-compatible’ or cloud-based. The sheer global scale 
of the internet and the vast pool of talent working on it will 
ultimately put an end to the proprietary software business, 
except in niche markets,” John predicted. 


It is time for a do technology 

With that sketch of some of the leading characteristics of the 
past in mind, John turns to a consideration of the future: “The 
technologies being developed by W3C, the consortium that 
establishes, publishes and maintains internet technology 
standards, are varied and target different challenges, but 
have, in broad terms, a common characteristic, in that they 
define methods for creating metadata that is machine 
processable. Metadata is data about data.” 

He emphasizes that computers cannot process people or 
things. “Computers can only process descriptions of people or 
things, so the Semantic Web standards concern themselves 
only with such descriptions.” 

“What about these standards?”, I asked. “All the new 
Semantic Web standards have a common characteristic in that 
they are passive,” John continued. “Consider, however, the 
impact this has on the way the world works. As descriptions, 
they don’t do anything. They just sit there waiting for 
something to do something with them. This is true even with 
the best intentions of the Object Management Group, with 
such efforts as the Financial Industry Business Ontology (FIBO) 
and the closely related efforts of the Enterprise Data 
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Management Council (EDMC) in defining classes of financial 
descriptors to be used in such ontologies. 

“In addition, regulators around the globe are trying to get a 
grip on these emerging standards. The SEC has mandated the 
use of technology as business reporting XML, although they do 
not use the technology to any significant advantage. 

“This is not a criticism of the emerging semantic metadata 
standards,” John says. “Defining such standards is necessary 
foundation work. But clearly, that can’t be all there is to it. 
We can’t have a useful language consisting only of nouns and 
adjectives. We need a technology for doing things with all this 
information. We need verbs and adverbs.” 

John puts forward as an argument that metadata has the same 
relationship to an underlying information resource that a sign 
has to a store: “When you hang out a big sign over your store, 
you haven’t actually done anything. You have enabled others 
to do something if they so choose. Stores without shoppers are 
of little use whether the stores have signs hanging out in front 
or not. Think of concepts in models and the relationships 
between concepts as shoppers in the world mall of 
information.” 

“What about these concept models?”, I ask. “Models do 
things,” replied John. “That is the purpose of the ‘concept 
modeling’ technology. Concepts and their relationships are a 
means for getting things to happen. They are a means for 
getting things to happen that does not produce a proprietary 
vertically integrated ‘application,’ or even an ‘application 
suite’. They are a means for getting things done in an open, 
pluggable knowledge-processing infrastructure that will be 
initially developed for use inside the corporation,” he 
predicted. 

“Sorry, John,” I said. “Now you have lost me. Could you 
please elaborate on this concept computing. What is it, what 
does it do, and what is the crucial difference?” 


Concept computing 

“Sure, with pleasure,” John responded. “Concept computing is 
the term I prefer; others call it semantic computing or 
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knowledge computing.” “Aha!”, I said. “So it has to do with 
processing meaning?” 

“Yes, indeed,” John replied. “To quote Lou Gerstner of IBM, 
‘Every twenty years or so, in IT, a new technology emerges 
that, by virtue of its exceptional ability, is able to address an 
entirely new class of customer problems.’ Such a technology 
transforms the way people work, improving productivity by 
providing non-linear improvements in performance. Now, for 
the first time, a new technology has emerged that breaks the 
bonds of the previous paradigm and allows pure semantic 
computing to emerge, putting the power of computing in the 
hands of domain experts, and facilitating a leap in 
productivity. But that’s not all! Concept computing shifts the 
paradigm of value from process and data to decisions and 
actionable computing: the next great value enabler in 
computer progress.” 

‘Wait a minute!”, I responded. “Do you mean that concept 
computing enables an organization to support or even 
automate decision-making? That is exactly what the industry is 
looking for.” 

John nodded affirmatively and explained: “Concept modeling 
is a new way of creating support systems that does not use 
traditional computing analysis and design models. Concept 
computing uses semantics and executable models tied to 
inference engines to deliver rapid processing capability 
associated with rules. The meaning derives from networks of 
relationships between concepts. Another important point is 
that they are modeled separately from IT systems.” 

“It is faster, more adaptive and more flexible. Some refer to 
this as agility. Since the IT systems are a service to the 
models, there is no danger of infrastructure corruption, 
interference with current data and systems or major 
operational overhead.” 

“By contrast, concept computing delivers a new user 
experience closer to natural human processes. It synthesizes 
functionality into capability standards and higher-order 
solutions. Last but not least, concept computing empowers 
breakthroughs in value and life-cycle economics with 
measurable results. 
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“Business users and their experience become central to the 
development process. Models operate more closely to the 
human experience and are understandable to mere mortals. 

“More importantly,” John continued, “since the business 
owner is empowered, new breakthroughs can be expected 
that increase the value to all stakeholders.” 

“A major complaint of business users is that they cannot get 
what they want fast enough, or they are put on a waiting list 
for development where the maintenance of current systems is 
well ahead of them. Sometimes opportunities in the business 
world are lost because there are no support systems available. 
Concept modeling eliminates this problem.” 

At my request, John named some important characteristics: 

• “Concept models link sources, connect knowledge and 
data, and enhance context 

• Concept computing integrates data, decisions and 
actions 

• Concept computing is goal-oriented 

• Concept computing monitors pre and post-conditions 

• Concept computing facilitates decision-making with 
reasoning, applying rules and conditions.” 

That last characteristic caught my special attention and, 
pretending not to know, I said, “Hold on, please. You are 
talking about a rules engine, aren’t you? John shook his head. 
“No, that is a mistake many IT executives make at the 
moment. They misunderstand the rules aspect of concept 
modeling and refer to these systems as ‘rules engines,’ he 
said. “Nothing could be further from the truth. Inference 
engines align with the concepts and interpret certain 
conditions as rules or, in most cases, pre and post-conditions 
of an open architecture of available next steps. 

“They reduce the need for thinking of every potential rule 
pathway because they find their own path. This eliminates the 
entire ‘what if/else’ paradigm. Existing schemas, ontologies, 
models and business logic can be imported using open 
standards. Imported linked data and ontologies in RDF and 
OWL can be connected to analytic, decision and process 
models. This concept technology can also combine ‘natural’ 
language understanding with semantic models to extract and 
apply knowledge and information from unstructured sources.” 
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It almost started to dazzle me, but John continued 
imperturbably. “For advanced IT departments that have built 
ontologies of the business, that are static representations of 
the connectivity of units and process and their relationships, 
concept computing allows them to be imported and 
implemented as processable applications. This leverages the 
work already performed and demonstrates the value of that 
work in operational modes.” 


Enabling computers to adapt to people 

What John told me was very exciting, since it announced a 
shift from obliging people to adapt to computers to enabling 
computers to adapt to people. 

John also recognized this trend and told me that the very 
starting point for enabling computers to adapt to people must 
be a description that a computer can use that characterizes 
the person and his or her information and knowledge-oriented 
requirements; it is a fundamental requirement. He repeated 
that this is the grass-roots basis of concept modeling 
technology. It deals with a user’s conceptual framework, in 
the language they use to do the work they do in the way they 
want to do it, with the information and processes that are 
only relevant to them in the context in which they are 
working. 

John concluded his explanation of concept computing with the 
remark that, currently, users are offered applications. “The 
shift involved here is a shift away from ‘applications’ towards 
‘intelligently configured services’ that are intelligently 
configured by the knowledge processing infrastructure based 
on the user’s world view. They are delivered by the concept 
computing modeling tools and their supporting components in 
the knowledge-processing infrastructure, perhaps networked 
together with knowledge fragments of others in such a manner 
that new emergent properties of knowledge are revealed.” 

In my opinion, that last aspect that John addressed, the 
emergent properties, needed some further elaboration, 
certainly because the question may be asked how all these 
concepts can be integrated into a fully workable and reliable 
system or system of systems. I therefore asked John to go into 
more detail, a request he was all too willing to fulfill. 
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Emergent properties 

“Clearly, understanding the rules of behavior within a single 
system is reducible to levels of understanding that allow its 
deconstruction, reconstruction and full understanding of the 
implications at the micro and macro levels. Such detail makes 
the outcomes knowable. However, understanding the 
interactions between multiple systems with differing goals and 
means of achieving them in an integrated and holistic system 
creates the problem of ‘emergent’ properties that, in turn, 
create unforeseen risk. 

“In many ways, what we are discussing is recognizing that 
businesses are in a state of rapid change. They are, in many 
cases, on the ‘edge of chaos’. That may sound dangerous, but 
in actuality it is a very positive place to be (if and only if you 
are prepared for the consequences). These emergent 
properties come from a rearrangement of patterns within the 
enterprise and its connections to the outside world. 

“Think of it this way. Many businesses look at the patterns of 
behavior and processes in their enterprise and try to capture 
them, creating a virtual snapshot of how things operate today. 
This snapshot is taken through a clear lens and optimal 
systems can be defined and built from it. 

“While the elements of the business may remain the same, 
the patterns reveal themselves more like they would through a 
kaleidoscope than a clear lens. Living at the edge of chaos in 
this world means that you are literally operating within a 
deformable landscape. It is like walking on rubber: once you 
feel stable, the landscape changes and you have to adapt all 
over again. 

“What this means is that while you are changing, the world 
you communicate and operate with is also changing. The 
fitness and survivability of the business depend on the 
‘viability’ of the systems available at the time. 

“So, instead of building the ‘optimal’ system, which is possibly 
the best system available at the time, it may become unviable 
if even slightly affected by changing circumstances. 
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“What this infers is that designing conceptual models that 
perform suboptimally may be more adaptable, and thus more 
viable, when dealing with change. This deals with the IT issue 
of worrying that inference engines and models may be slower 
in operation. However, if they are adaptable they will survive 
where optimal systems have become defective and come to 
constitute an obstructive nuisance. 

“This translates to what I would call a ‘local optimum,’ which 
means that in a deformable fitness landscape, survivability of 
the business has a greater set of odds in its favor.” 

“That’s is interesting,” I remarked. “This reminds me of the 
antifragility concept of Nassim Taleb (Taleb, N., 2012), a man 
with some experience in risk-taking business. You are, in 
essence, describing the same capability. It allows you to 
survive and seize opportunities.” 

John nodded and continued: “Not to get technical, but 
operating at the edge of chaos enables the recognition of 
‘phase transition’ opportunities. This is where the adaptability 
and fluidity of operations support change. Fluidity is the key. 
With the concept-computing model, deeply frozen systems 
move towards more fluidity, increasing the enterprise’s 
‘fitness for survival’.” 

“GRC environments are complex systems with interdependent 
links to assure compliance. They require a different approach 
because ‘emergent’ properties are often unknowable, which 
defines complexity. Orthogonal design and non-linear 
dynamical capabilities can aid in the solution to dealing with 
complex systems because emergent properties can be 
surfaced as anomalies (unforeseen consequences) and 
structured to create a new ‘emergent order’. In other words, 
once known, replicated and tested, the new holistic system or 
trans-framework architecture becomes knowable and thus 
orderly. 

“This same orthogonal design, which is knowable in the 
context of its design and models of behavior, allows topics to 
be addressed at the user, department, division and enterprise 
levels, individually, with the confidence that the ordered 
collection will also work as an integrated system. This is 
because the declarative method of implementation is 
separated from the flow controls of the processing.” 
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“So you mean that the user will not be overloaded with too 
many, and perhaps contradictory, instructions?”, I asked. 
“Indeed,” John answered. “For the user, the boundaries of 
their requirements to provide their service level is constrained 
by what they are doing and the context in which they are 
doing it. This is a dynamic activity. Here lies an important 
distinction in operational control, in that the very same user 
can operate within a totally different context and have a 
completely different experience, once again constrained by 
the role, relationship and responsibility. 

“One level above, management may be viewing their 
responsibility in the context of departmental controls as 
defined by an internal policy. Their activities are constrained 
by the context, and when a role changes, the context 
changes. At the divisional level, management will be 
constrained by the activities applicable to them with the 
subfunctions inherited by their ‘world view,’ which is another 
term for the role relationship responsibility context. 
Subordinate activities increase in control level, while best 
practices are pushed down to the operator level in the context 
that is needed within the framework of activity. 

“Anomalies, disjoins and conflicts in and between frameworks 
can now be surfaced and dealt with in a timely fashion, and 
before they constitute a compliance problem in one context 
and a non-compliance problem in another. Once knowable, 
they can be dealt with, and the complex and unknowable 
become the complicated yet knowable, making them a 
completely different animal to deal with.” 


Arbitrary truth 

“But doesn’t a single source of truth obviate such problems by 
forcing controls across systems?”, I asked. “No, and why is this 
so? Some argue for a central source of truth to assure integrity 
of data and processes. But this is, to some degree, nearly 
impossible because of the sheer volume of variables that need 
to be tested. Equally importantly, from a philosophical and 
practical view, truth is arbitrary, in the discretionary sense. 
The fact (or a truth) is that all truths are true ‘in a model’. In 
other words, the model that facts operate in dictates the 
truth in the context it is being used in. It’s a long and 
complicated subject, but at the end of the day designing 
systems is designing within a model of desired outcomes 
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within a framework that supports them. So what is true in one 
model using identical facts may not be true in another. We 
see this every day in our interactions with human beings.” 

The concept of arbitrary truth resonated with me, and I 
remembered earlier discussions about the multidimensional 
nature of what we can know. Both truth and knowledge are 
polyvalent and not monovalent. Validating and warranting is 
needed, and context and feedback matter. Meanwhile, John 
came back to the reasoning aspect. 

“This brings us back full circle to reasoning. By using 
reasoning-based systems, the foundations of the truth under 
discussion or operation can be exposed. In other words, all 
decisions can have full traceability and, for that matter, full 
transparency as to how and why the decisions were made and 
what truth they were based on and within which truth 
paradigm. This means that a human can begin to understand 
the complexity of the systems they are dealing with, and even 
foresee possible emergent properties that can become 
problematic. The closer one can predict these problems, the 
lower the overall risk in operations. Moreover, it becomes 
explicable, which is important when large fines are looming or 
your freedom is on the line. 

“One of the barriers to providing regulatory controls as a 
service has been the complexity argument. Furthermore, 
when dealing with the problem in the traditional linear 
fashion, it is problematic from both a systems and 
infrastructure perspective. However, regulations are designed 
for the regulated, and there is a limited set of those 
businesses. Moreover, regulations are topical; they deal with 
higher-order functions that have a network of detail but are 
still limited to a particular topic for a particular purpose. For 
instance, our example of duty of care is one topic among 
hundreds, but the network of linkages between and across 
frameworks will be limited to a knowable and controllable 
subset. In other words, you don’t have to know what is 
happening in an unrelated topic to get your answers. The 
topic then creates its own ‘sparse network’ of linkages.” 


Emergent order and sparse networks 

I was only vaguely familiar with the theory of sparse networks, 
so I felt compelled to ask John to explain it in more detail. 
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“Don’t forget that the notion of the declarative models of 
behavior separates the requirements from the process of 
performing those requirements,” said John. “A separate 
inference engine performs the activity, seeking to achieve the 
goal of the topic, and ‘it’ finds the network of relevant 
linkages. Some of these may at first be run as a surprise, but 
once known it they simply a complicated network of 
interactions and, of course, knowable. This is part of a science 
that deals with emergent order and came out of genetic 
research using computers to simulate complex genetic 
outcomes of switching on and off certain genes. Instead of 
billions of possibilities, it turned out that the number of 
possible switches was limited by topics. To put it in context, 
an eye gene was not in the same network as a toenail set of 
gene switches, meaning that that network was ignored until it 
came time to test for toenails. 

“The same notion applies to regulation. Although there are 
tens of thousands of regulations, there are some that are 
specific to industries, some that cross industries, and some 
that cross frameworks within an industry: the business, the 
customer, the operations, IT support, etc. These can amount 
to billions of possible connections. At the end of the day, 
however, the network of all possible connections is limited 
and knowable because the inference engine will find and limit 
the connections to only those that meet the goal that is in 
process of being met. Here, a globe of dense networks with a 
limited set of lit-up connections might make the point. 

“The ability to provide context across and between 
frameworks and make complexity knowable through sparse 
network connections also facilitates ‘governance as a service,’ 
whether as an outside facility servicing an industry or one 
installed in and across the enterprise, servicing the needs of 
the compliance officers. 

“It facilitates a central control mechanism that monitors all 
events, provides advice and consent features and maintains a 
complete record of all transaction history at the point of 
performance. This transparency and traceability are found in 
the sparse networks, which link to the reasoning engine, map 
to the regulations and provide a previously unheard-of facility 
for reducing compliance overhead by orders of magnitude. In 
addition, they assure stakeholder confidence and adapt to 
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changing conditions faster than any rival alternative. Such a 
facility is the objective of real-time regulatory oversight.” 

This made the concept of sparse networks clear to me again. 
John’s argumentation made sense. “But what happens when 
new rules are promulgated?”, I asked. John smiled and said, 
“The same mechanisms that provide the ability to create and 
surface sparse networks will allow the inclusion of a new rule 
with all the new connections surfaced, connected and utilized 
in the reasoning engine. This is hard to believe, but true. 
Imagine trying to do that by mapping out all the possible 
connections. Let’s put this in perspective,” he said. 

“Let’s say you have one hundred rules that can be combined 
with only two possible outcomes: true or false. So rule A is 
true or false; simple enough for one rule. Now suppose that 
you need to test for rule A and B, and this network now has 
four states: true true, true/false, false/true and false/false. A 
further network of three rules would have eight states: 2X2X2 
and so on until you tested for all one hundred states when you 
would have to test for or one million trillion trillion tests. Or, 
to put it another way, you would need longer than the 
universe is thought to have existed for to test the results. No 
wonder the complexity of a simple hundred-rule system scares 
the living daylights out of designers.” 

I started my laptop and checked the formula in 
Wolfram I Alpha. John was right. I even tried a calculation in 
which I assumed that every test took 0.2 seconds. The reader 
may also want to try this. 

Figure 16: Complexity of a traditional hundred-rule system 
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It resulted in really dazzling figures that put preferences for 
using traditional rule-based systems in a whole different 
perspective. John confirmed this and continued: “However, as 
has been proven time and time again, it turns out that the 
cycles quickly develop ‘emergent order’ and develop limited 
networks of connections or, as we have said before, ‘sparsely 
connected networks’. The combination of inference 
mechanisms, and constraints (within roles, relationships and 
responsibilities) limits the full set of possible networks to 
manageable behaviors. However, you need the engines to 
make this happen, and finding them manually would take an 
army more time than the predicted cold end of the universe.” 

That was the perfect point at which to finish discussing the 
technology aspects. We didn’t want to go into further detail 
because it might not be of interest to the majority of the 
readers of this publication. The sun was still shining and we 
decided to go for a walk. 
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Introduction 

While walking towards the beach, we passed the restaurant 
where I had lunch before. I told John about my “overload” 
experience and thoughts about letting someone else deal with 
the overload portion of regulation. John laughed. He had 
witnessed that same restaurant problem with Europeans 
before. Saving food for later consumption was no problem in 
the U.S., but saving legislation for later implementation 
entails huge risks. If the absorptive capacity of organizations 
is not sufficient to cope with the volume, another approach is 
required. So finding another party that helps you to deal with 
the regulatory overload was certainly an interesting and 
feasible idea. That concept is, in fact, called “governance as a 
service”. 


All doing the same tedious thing 

John reminded me of the 14,000 new rules and 60-plus-a-day 
new ones. He said, “Governance as a service with such a 
volume is not only feasible with the technology we discussed, 
but, frankly, a practical solution to the multiple islands of 
similar activities taking place in regulated businesses across 
the globe.” John quoted some statements of Willem Dicou, a 
very seasoned colleague at Be Informed: 

“You know, all doing the same tedious thing. Replacing it with 
a single service providing real-time regulatory oversight can 
change the paradigm of running the business and assuring 
compliance across both internal and external policy rules.” 

“Note that the compliance rules for all organizations in a 
particular segment of the industry (banks, insurance 
companies, pension funds) are the same. Besides, the policy¬ 
makers {government/politics) and the regulators do not, as 
such, have a charter to increase regulatory and monitoring 
pressure, but are forced to do so due to the inability of the 
industry to prove its compliance and proper governance.” 
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Possible solution 

“So what is needed according to Willem?”, 1 asked John. His 
answer was clear. “Because the problem is the same for all 
financial institutions in the market, a common approach for 
tackling the execution of compliance (other than, for 
example, risk management, in which the company policy, 
market positioning, etc. play a role) is worth considering. This 
has the potential to lower cost and burden for everybody. 

More effective 
monitoring and lower 
monitoring pressure 

“Such a common approach establishes common ground for all 
stakeholders (policy-makers, regulators, financial 
institutions). This allows for more effective monitoring and 
lower monitoring pressure.” 

Better image 

John continued: “Demonstrable compliance, executed by an 
independent and impartial party, will deliver a better image 
for the whole industry. Corporate social responsibility (CSR) 
can then be applied to compliance in the financial industry as 
well. After all this, it is really a matter of restoring public 
trust. 

Trustworthy and 
independent party 

“When all stakeholders invest together in one trustworthy and 
controllable platform, the costs for everyone will decrease 
even further. This requires a trustworthy and independent 
party that offers such a platform to the market in a secure 
way and with high-volume capacity.” 

Shared body of 
knowledge 

To my question of what else is needed, John replied, “For the 
management and maintenance of the various regulations and 
the resulting controls, a ‘body of knowledge’ can be instituted 
in which all stakeholders participate and provide supervision. 
Advantages include the following: 

• Shared interpretation of regulation, leading to 

unambiguous and effective controls, and reports 

• Full transparency and traceability 

• Shared costs 

• Shared knowledge. 

From compliance costs 
to compliance revenues 

“When the reliability of compliance controls and reports 
increases, financial institutions can lower the safety margins 
they now take into account for their capital requirements, i.e. 
greater reliability decreases the probability of the regulator 
retrospectively concluding that the reported figures were 
wrong. The positive effect of this is that the credit facility of 
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Increasing trust 

Increased trust I told John about the development in the Netherlands of the 
concept of horizontal monitoring by the Dutch Tax and 
Customs Administration. The concept is certainly related to 
what John described. It could be an extension, or even better 
a result, of applying governance as a service. It has also an 
analogy with the knowledge-based trust level that was 
discussed in the first chapter. 

Horizontal monitoring 

Quote: horizontal monitoring 

Horizontal monitoring 

The working method of the Dutch tax authorities is changing from vertical 
monitoring towards horizontal monitoring. Where vertical monitoring is based 
on checking retrospectively, horizontal monitoring is a form of working in the 
present based on mutual trust, understanding and transparency between the 
enterprise and the tax authorities. Horizontal monitoring consists of two 
elements: a good relationship between the tax payer and the tax authorities 
(recorded in a compliance agreement), and good risk detection, based on what 
is known as the tax control framework. The actual “working in the past” is 
replaced by “working at present.” By applying horizontal monitoring, the 
Dutch tax authorities try to arrive at a method of compliance. This means that 
entrepreneur’s voluntary will comply with the application of the law and 
regulations. 


Advantages of horizontal monitoring are amongst others: 

1. Certainty in advance 

By applying horizontal monitoring, “working in the past” is replaced by 
“working at present”. The entrepreneur will act with a transparent attitude 
towards the tax authorities and the latter will provide a fast judgment about 
the tax situation of the taxpayer. Both parties will not any longer find 
themselves in a situation of insecurity. In addition, the taxpayer will have a 
fixed point of contact with the tax authorities. 

2. Less rigorous audits afterwards 

Working at present means that future tax audits and relating points of 
discussion with the tax authorities will be avoided. Under the system of 
horizontal monitoring tax audits will only be performed at random. The tax 
authorities have expressed their intention that entrepreneurs not taking part 
of the horizontal monitoring will be subject to tax audits in the future. 

Source: www.foreigninvestments.eu 


Increased reliability and It seemed to me that, in line with what the Dutch Tax and 
trust Customs Administration has achieved with horizontal 

monitoring, the effect of increased reliability can enhance 
trust between policy-makers and regulators and the financial 
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institutions. Therefore, in the course of time, the required 
safety norms can be adapted, enabling credit facilities to 
again be increased with new opportunities for growth. 

The obvious question to John was whether this is manageable 
and scalable on a larger scale. 


“Is it manageable and scalable?” 

Ontology-based product I was wondering whether an approach that spans multiple 
management financial institutions and duties of care still is manageable. 

According to John, a semantically driven business process 
platform enables not only the management and execution of 
knowledge-intensive processes, but also the management of 
knowledge-intensive products. An ontology is used to model 
the topics customers are interested in. For instance, providing 
international compliance on liquidity by managing, for 
instance, Basel vs. Dodd-Frank requirements is an important 
feature that would provide instant value. Multiple banks and 
other financial institutions would be interested in a service 
offering. A simple ontology describing banks applying differing 
liquidity policies is displayed in the following image. 

Figure 17: Banks using different liquidity rules 



Source; Be Informed, John Coyne, 2013 

Split-second changes In the simple example above, banks A and B utilize the Basel 

liquidity tests and policies. This operational model executes 
the actions necessary for compliance, so banks C, D and E will 
use the Dodd-Frank rules and policies. I asked John what 
would happen if bank C no longer applied Dodd-Frank and 
needed to use the Basel tests. John’s diagram below shows 
the simplicity of using models to execute change. 
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Figure 18: Changing liquidity application 



Source; Be Informed, John Coyne, 2013 


The transfer of a relationship changes the rules of liquidity 
checks. Above, the simple relationship of bank C (red line) is 
diverted to Basel, and nov/ all the rules used by bank C v/ill 
apply the Basel model. It is that simple to execute what would 
be a complex change in any other system. 

This led me to ask John the obvious question of why it doesn’t 
exist yet. 


“Why doesn’t this exist yet?” 

John paraphrased the previous statements of Willem Dicou by 
saying, “Compliance and accountability have always been 
there, but not to the degree we have come to know over the 
last couple of years. The adverse events in the financial 
industry have caused an exponential increase in the number of 
regulations. The way the industry responded was with ‘more 
of the same’. This was, in effect, the arduous post-collection 
of data and evidence and delivery of the reports required by 
the regulators. However, with the huge number of regulations 
and the speed of changes, this ‘brute force’ approach is no 
longer viable. Meanwhile, once they discover they no longer 
have to accept this ‘afterthought’ reporting any longer, the 
regulators may decide not to. 

“The cost of the traditional approach is increasing 
exponentially for both the financial institutions and the 
regulators, while the level of compliance and the quality of 
reporting is lagging behind. 
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“A paradigm shift is needed to solve the problem - in real 
time, with embedded compliance, horizontal monitoring and a 
commonly supported solution which: 

• provides enforcement options for compliance 
automatically 

• is reliable, transparent and traceable 

• is practicable at a reasonable cost level. 

This shift is not only needed at the enterprise level, but also 
at the industry level.” 

John concluded his view with an appeal: “Let’s not forget that 
non-compliance, or the inability to prove it, causes 
reputational damage for both individual financial institutions 
and the entire industry.” 


Subsidiarity as an option 

I tried to imagine how one best could realize the concept of 
governance as a service. I expected that it required a pulling 
force from some large and committed market parties, but also 
a smart approach to lower the barrier for pre-competitive 
collaboration. 

That reminded me of the concept of “subsidiarity” that is 
used in the European Union. Subsidiarity entails the idea that 
a central entity should have a subsidiary function, performing 
only those tasks which cannot be performed effectively at a 
more immediate or local level. So it is a federated approach, 
not a centralized or totally decentralized approach. In this 
case, the central entity could provide the interpretation and 
control services based on regulation. A local or multinational 
enterprise could add their own controls, based on their goals, 
objectives and risk appetite. In a large enterprise, there could 
also be a unit or line of business that defines its own controls 
within the boundaries of the enterprise. 

So I told John, “The result is harmonization with respect for 
autonomy on the one hand, and distribution of work on the 
other. It also preserves the option of outsourcing ‘local’ parts 
of the work to your own trusted provisioning party on a 
contractual basis. You will probably negotiate with parties 
taking into account the time and cognitive value of the 
provided services.” 
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After the walk, we discussed which topics still needed to be 
covered in the interview series. Since there was only one day 
left, we decided to spend the next day focusing entirely on 
the question of how organizations can realize that 
transformative approach we had discussed in various ways. 

I was well aware of the fact that John’s notes, which I had 
read, contained more valuable insights. We agreed to add at 
least a selection of observations, pains and their solution to 
this publication. Interested readers can find this selection in 
the appendix. 
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Part V: 

How to start your transformation 
NOW! 


Introduction 

The next morning, the sun was shining bright. We started our 
conversation by looking back over the past few days, in which 
we had found that a paradigm shift is needed to enable 
organizations to cope with the disproportional burden of 
compliance. We found that this shift can provide crucial 
benefits, both reputationally and business-wise. We discussed 
the concept of real-time regulatory oversight, working in 
spontaneous networks and managing meaning via a topic- 
based approach across frameworks. We found that a semantic 
technology is needed that enables you to deal with the 
inherent non-linearity of actual operations in the real world, 
and that this creates the real power to adapt and transform. 

This summary brought us back to the theme of the day: “How 
to transform?” It seemed to me to be inevitable that we 
should start with the aspect of leadership and managing 
change. 

“Talking about leadership and managing change, do you know 
how I position them in the governance risk and compliance 
space?”, John asked. I didn’t know, and then John came up 
with a striking metaphor. 


Playing jazz 

“You may know that I’m something of a musician myself. 
Consequently, I see a strong analogy with playing jazz. In jazz, 
we musicians really enjoy performing together, and at the 
same time excel in our own field of capability. There is one 
leader who sets the melody and the pace. Within these 
constraints, we ‘do our thing’ - sometimes in a solo, 
sometimes backing up another player, and sometimes playing 
together in changing constellations. The path is not 
determined, but the goal is clear. In the end, the participant 
(active and passive) must be satisfied and feeling good. Our 


Playing Jazz in the GRC Club 


Page 69 



vv 

be informed 


Ensemble means 
“together” 


goal is to ‘get in the groove’ - a flov/ where everything 
happens automatically and almost effortlessly.” 

I liked that analogy. John was talking about a kind of 
connectedness that fitted perfectly within the increased 
engagement trend that is depicted in the virtuous spiral of the 
first chapter. So I asked him about the role of the director in 
the ensemble. 


John looked surprised. “Ensemble,” he said. “That word says 
it all, doesn’t it?. ‘Ensemble’ means ‘together’. If we take the 
oval image and add some of the musicians to it, it would look 
like this.” John added a selection of roles to the image. 


Figure 19: The GRC jazz ensemble 
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Source: Be Informed, Thei Geurts, 2013 


John said: “As you can see, it can be become a very large 
ensemble that definitely needs a leader: an individual who 
sets the principles and guidelines for behavior and working 
together, and knows that musicians are averse to command 
and control, but still need direction. Someone who has vision 
and drive, who wants to perform at the top level, and knows 
that the best performance comes from facilitating and 
fostering the diverse talents in the group. 

“Come to think of it, did you know that there is a difference 
between leading an orchestra and a jazz ensemble?” 
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I didn’t know what John meant, so he explained it to me: “An 
orchestra is a streamlined machine that practices the 
execution of a well-defined piece of work. It doesn’t like 
continuous - and certainly not unforeseen - change. All 
ambiguity is expelled. In jazz, like in the real world of 
financial services, there is always room for ambiguity and 
flexibility. It is in fact the nutrient for customer-centricity, 
operational excellence and uniqueness. 

In practice, organizations in heavily regulated industries are, 
at present, not able to play like an orchestra, let alone to play 
like a jazz ensemble. They are faced with a cacophony of 
sounds of ad hoc trials and of recommendations about what to 
do. Nothing really works. It’s time to try something different. 

“Real leadership in the 21^*^ century requires many of the 
talents of a contemporary director of an jazz ensemble. It is 
about setting the direction and constraints. Because you don’t 
want a cacophony, there are constraints on key transpositions 
and simultaneous beat or rhythm. It’s also about knowing the 
trade, being able to organize and respond to new situations, 
and maintaining direction while being open to other insights 
and possibilities, respecting professionals, allowing autonomy 
within the purpose and meaning of the whole group and, of 
course, keeping the pace.” 

John concluded: “It may be a new way of working for 
enterprises, but for jazz musicians it is proven practice.” 


Building an engagement network 

I liked the metaphor that John used. Jazz is more often used 
as a metaphor, but, to my knowledge, not in the GRC space. It 
gives an indication of which direction an organization must 
take in order to transform successfully. It is the direction of 
what is often cited as “the new way of working”. 

The concept is often used too narrowly. In my opinion, the 
new way of working brings multiple disciplines together in a 
flexible, coherent and meaningful context to realize business 
goals. It is a reason for all actors to consult, communicate, 
cooperate and coordinate - in short, to collaborate. It respects 
main employee motivators like mastery, autonomy and 
purpose, and makes them possible without compromising the 
need for overview and control. Actually, one of the key 
ingredients of Be Informed is its ability to develop 
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spontaneous and dynamic collaboration, a feature unheard of 
in traditional systems. This spontaneity is also a key jazz 
concept. 


Figure 20: The new way of working 
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Source; Be Informed, Thei Geurts, 2012 


“So, you are right, it its very much like playing jazz, but then 
in the context of an enterprise or public institution,” I said. 
“There is a general tendency to move from a command-and- 
control approach towards a more balanced approach for 
providing direction, facilitating professionals and enabling 
them to excel. Contrary to what some people expect, it 
results in higher productivity and greater commitment. 

“I vaguely remember a definition of the ingredients of work as 
‘the questions and commitments and possibilities that bring 
things forth’. I don’t know the source anymore, but it fits very 
well in the concept of spontaneous networks, or in jazz terms 
‘spontaneous jam sessions’. Collaborators can ‘sit in’ on the 
fly and ‘jam’.” 

“Another important word in that definition is ‘commitment’. 
You need an ensemble to jam with. It needs to be a group that 
is engaged and willing to play a part in the piece. So it will 
probably depend on the jazz capability of your workforce 
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whether you can start with one or more small ensembles that 
ultimately come together in one massive jam session. If a 
certain capability is missing, you can fly in guest players to 
join the ensemble.” 

Last but not least, I see also a clear connection to the aspects 
of managing meaning and sense making. 

John obviously liked the references to the jazz scene. 
However we needed to move forward to the enabling 
technology aspect. Like a high-quality ensemble needs high- 
quality instruments, the same applies to the GRC scene. 

The next two sections offer a brief reference to innovative 
technology that meets the requirements previously discussed, 
which, by its nature, can be described as highly 
transformative. Since this aspect of the discussion is of 
interest primarily to the technology-oriented audience, it will 
not be discussed in further detail here. 


Leveraging business technology 

The business technology that can leverage the ambition that is 
expressed in this publication is finally available. This proven, 
scalable and reliable technology is now being introduced into 
the commercial market. With a proven track record of high- 
performance governance. Be Informed’s Governance Risk fit 
Compliance group is ready to bring this innovation to globally 
regulated industries. 

Be Informed stands alone in providing total prescriptive 
solutions at the transaction level. This means that at each 
stage of a transaction. Be Informed’s technology can monitor 
for compliance and risk at both the internal policy and 
government regulator level. Where regulations are well 
understood, this can provide productivity gains in the various 
role relationship layers within an enterprise. Where there is 
ambiguity, you can surface those ambiguities for management 
intervention and legal opinion. Furthermore, once established, 
the interpretation becomes part of the straight-through 
processing facility that streamlines the activity. 

What’s more, these decisions are recorded at the time of the 
transaction, and a real-time audit provides both management 
and regulators with an “in-time snapshot” reference as to why 
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a transaction was deemed either compliant or non-compliant, 
and allows management to control the compliance risk. 

Be Informed’s GRC initiative comes from increasing 
experience in delivering applications that have yielded figures 
like improvements to orders of magnitude in change adoption 
(days instead of months), increases in straight-through 
processing (STP) as high as 99%, reductions in licensing costs 
for communication systems, and the replacement of 
infrastructure for a reduced footprint. 


Living together - the old with the new 

We both prefer transformations on the basis of evolution. As 
John said, “There is an implied requirement that will be, at 
least intuitively, obvious to any person with any significant 
experience working with computer system infrastructures. 
That is the need to evolve a system to the next level of 
functionality while leaving the current level of functionality 
intact. 

“In technical language, this means creating a knowledge 
processing middle or supra-ware infrastructure that interfaces 
with, but does not damage, the information processing 
infrastructure already in place. That is the purpose of a non- 
invasive framework technology that may incorporate such 
technical aspects as service-oriented architecture (SOA), 
simple object access protocol (SOAP), XML, REST (as a 
replacement or augmentation for SOAP) and OpenAAAMA 
(middleware agnostic messaging API). Indeed, any wrapper 
interface technology with a call and response is a candidate 
for non-invasive interfaces to existing systems.” 


Implementation scenarios 

Regarding possible implementation scenarios, we agreed that 
implementation can start “on a large scale” and move toward 
more fine-grained implementations over time. This means that 
management can expect early rewards for their investment 
and an expectation that their systems will grow, leveraging 
every previous step. 
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It is entirely possible and even advised to apply an approach 
that I branded as the “Grow Live” approach. Possible 
scenarios include : 

• implementation per domain 

• implementation per duty of care 

• implementation per entity 

• implementation per function 

• implementation per solution 

• custom implementation 

• implementation as a service by a trusted party. 

John stressed the fact that, unlike competing alternatives that 
use rapid prototyping as throw-away proofs of concept, Be 
Informed never loses anything that is operational; it builds on 
it. 

• No programming of code 

• No flow charts or swim lanes 

• No waterfall documents for requirements, 
specifications and code 

• No more separate modeling tools and file formats. 

Figure 21: From frustration to engagement _ 


Faster 



Time 


Source; Be Informed, Thei Geurts, 2013 


The traditional frustration factor that business requirements 
are compromised in delivering an application can be turned 
into an engagement factor. Modeling with Be Informed stops 
the endless translations of requirements with all their 
negative aspects. The outcome delivers more value, and even 
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provides the insight into what is more possible with Be 
Informed. 

This was my final conversation with John. It turned out to be a 
very pleasant series of meetings in which we also discussed a 
broad variety of other topics. Because we didn’t want to 
distract the reader from the connecting themes, we refrained 
from presenting them here. This is also why we streamlined 
our interview style to a very slim storyline without any flowery 
language and unnecessary elaborations. We sometimes also 
threw ideas back and forth, which were used in the narratives 
regardless of whom they belonged to. 

After bidding John a warm farewell, I left for the airport. 


Connecting the dots 

At the West Palm Beach airport, I had to wait for more than 
an hour for the flight to Atlanta. This gave me the opportunity 
to consider the meaning of what I had learned from my 
conversation partner in the first chapter. I once again took the 
presented 7P model and looked at all seven points. It turned 
out that they could indeed be connected now. 

Figure 22: Connect the dots 



Source; Be Informed, Thei Geurts, 2013 
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Figure 23: Your 7P model answers 
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Prudence 

Create trust by providing timely and accurate information. 

Augment transparency by offering compliance proof services to regulators and enable real 
time regulatory oversight. 

Cooperate in certified self-control and meta-oversight constructs. 

Provide impact proof about the effect of new regulations. 

Provision 

Set standards and use a 'comply or explain approach’ for external provisioning services. 
Engage in pre-competitive collaboration on standards, vocabularies and semantics. 

Engage in GRC as a Service initiatives and fuse them with your internal system. 

Policy 

Create a GRC-intelligence position and enable ex-ante risk and impact assessment. 
Develop and simulate scenarios. Model the business in context and from a goal oriented 
perspective inch the defined risk tolerance. 

Design for compliance. 

Create one version of the truth and make re-use the norm. Manage the policy lifecycle by 
collaboration and embedded role separation. Capitalize on brainpower. Create a 
knowledge base to provide insight and support training objectives. Define ethic principles 
and integrate them in the control and certification cycle. Treat contracts as regulatory 
mandates and apply the same standards to them. 

Make procedures and controls executable. 

Offer GRC as a service. 

Infuse context aware decision intelligence. 

Plan coherent control and report activities. Enable virtual organization and collaboration. 

Production 

Execute preventive controls (manual and automatic) based on the infused intelligence and| 
dynamic decision support. 

Support collaboration, role separation and dynamic workflows. Apply monitoring rules, 
create alerts and offer integrated views. 

Apply mass customization. Treat every request as a unique case. Create an audit trail, 
r^qrd the d^ision context vrith the applied controls, their origin and used rationale._ 

Manage all case related facts in a unified case dossier including their decision context. 
Apply strict security and retention rules for dossiers. Enable gathering and merging of 
data based on metadata. _ 

IProof 

Provide role based dashboards and alerts. 

Support continuous auditing, assessment and monitoring from multiple perspectives per 
case and cross-case. Generate reports based on reporting templates. 

Support role based collaboration for monitoring, reporting, analysis, recommendation 
and remediation. 

iUse the case dossier for liability issues and smash cost of legal discovery. 

Offer access to the knowledge base and provide Information services for regulatory 
oversight. 

Support ex-post impact and risk assessment and propose remediation. 

Performance 

Connect the dots and augment your GRC-capability. 

Lever your logic to achieve transparency, sustainability & accountability within a risk 
aligned business performance. 

Use a non-invasive business technology to support the business for various GRC- 
frameworks and to optimize invested capital in knowledge and systems. Use a robust 
platform. Apply a growing live approach. Start with removing a major bottleneck and 
optimize by re-use. Reduce legacy and cut compliance costs. 

Profit 

Result: You have built a GRC-intelligence position and created a high performance GRC- 
organization. This allows you to move more risks to tiers with lower financial thresholds, 
lower claim cost and free capital. You are compliant by design and can become a trusted 
partner of authorities. Your actionable GRC-capability and reputation grow by continuous 
improvement and engagement. New regulations offer new opportunities. 


Source: Be Informed, Thei Geurts, 2013 
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All of my conversation partner’s 7P concerns could nov/ all be 
addressed and provided v/ith an ansv/er. In addition, the 
fragile transfer and connection points were replaced by 
antifragile connections. 

We recommend transforming organically, starting by 
addressing the parts of the 7P model that constitute the 
largest burden, and employing your own preferred 
implementation scenario. 


Making the business case 

The business case for risk-aware thinking and action can now 
finally be made with ease. The curve of increasing pain can be 
replaced by a curve of increasing gain. We have sketched the 
value proposition and value architecture. There is a 
transformation approach that fits every organization at the 
enterprise or network level. The enabling technology is now 
available. Last but not least, there are also strong economic 
and regulatory drivers for change. 

Major enterprises spend considerable sums on the 
implementation of compliance rules through the hiring of 
experts, manual maintenance, fines and wasted time. Three 
international banks we have interviewed estimate that, 
amongst other things, the cost of compliance in the U.S. alone 
costs them each in excess $1 billion. 

Figure 24: Shifting the balance 
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Source; Be Informed, Willem Dicou, 2013 
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We believe that through a service offering, enabled by the 
unique Be Informed technology, we can reduce the cost of 
operations over time to 1% of what it is today for both the 
business and the IT support infrastructure. This means more 
free capital to the companies for expansion, innovation and 
liquidity ratios. 

Shifting risks to lower risk “baskets” frees up capital that can 
be invested and multiplied. All financial institutions are well 
aware of the multiplication factor that can be achieved. 

Return on regulatory A sound GRC environment can also be seen as a business 
capital benefit. There are many ways to generate return on your 
regulatory capital. Benefits include the following: 

• Compliance costs can be reduced by up to 90%, thus 
creating a competitive advantage 

• Straight-through processing (STP) as high as 99% 
increases cycle time, enables self-service and frees up 
time and attention for specific cases and new 
initiatives 

• Case-sensitive risk assessment increases revenues: 
fine-grained judgments where every customer is a 
unique case 

• Total insight and overview by using a single, integrated 
framework, allowing management to be in control 

• Compliance is an asset of the organization, i.e. being 
compliant can be used as a brand differentiator: 
compare with “being green” in relation to 
sustainability 

• Compliance as a service: use external services from 
expert companies rather than doing it all yourself; use 
intelligent outsourcing. 

And besides that, “What is the risk and cost of doing 
something versus doing nothing?” 


The future has started 

High-performance In this publication, we intended to prove that the “future 

GRC organization perfect” that is presented in the first chapter can now be 

realized. Proven technology is available. Concept computing 
enables you to leverage the semantic sweet spot, install a 
regulatory capability, and realize real-time regulatory 
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oversight. Interdependencies between frameworks can be 
surfaced, and topical regulations and policies can be executed 
in a coherent way. Risk management can be performed at a 
higher and more comprehensive level. New business 
opportunities arise. The board and all other stakeholders can 
look forward, and the whole enterprise can swing to the 
melody of continuous change. 

Your transformation journey has started. The final result for 
you will be a GRC intelligence position and high-performance 
GRC organization. You are compliant by design and can 
become a trusted partner of authorities. Your actionable GRC 
capability and reputation grow through continuous 
improvement and engagement. New regulations offer new 
opportunities and, through a systemic approach, your 
compliance issues are solved and future issues are prevented. 
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Appendix: An Anthology of 
GRC Points of Pain & Solutions 


Introduction 

In this chapter, we offer an anthology of observations, points 
of pain in the GRC space, and solutions based on the vision 
presented in this publication. 


Governance, risk & compliance (GRC) 

In the early nineties, U.S. former president Bush and then 
president Clinton changed the provisions of the Glass Steagall 
Act, which separated commercial banking from speculative 
investments. To cut a long story short, between this and the 
Gramm-Leach-Bliley Act of 1999, Wall Street created risky 
speculative products that arguably led to the financial 
collapse of 2008. Since then, instead of reinstituting the 
banking regulations that prevented such speculation and risk 
for investors and savers alike, the U.S. government has 
responded with rapid-fire regulations intended to control the 
actions of the financial communities. 

Because the collapse affected so many institutions on a 
worldwide basis, governments around the globe began to 
create regulations to mitigate the risks associated with 
financial investments. Moreover, larger banks have become 
systemically important financial institutions (SIFI) that need to 
be protected from failure due to the systemic effects any 
collapse would have on the financial integrity of world 
markets. 

There are discrepancies between global regulations, regional 
regulations and local regulations. This creates an opportunity 
for regulatory arbitrage. 

Worldwide, an estimated 14,000 regulations have been left 
unimplemented by the regulated institutions, and the backlog 
continues to increase. This means that most, if not all, 
financial institutions are non-compliant and subject to fines. 
The question for many of them is whether they actually care. 
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In other words, what is the cost of non-compliance against the 
cost of implementation? 

Goldman Sachs was fined $550 million on an illegal transaction 
(after paying $500 million in another settlement), which cost 
them 10% of their take - not a bad return on investment. 
Without effective measures, the risk reward trend may 
continue in this direction. 

The nation’s five biggest lenders - Bank of America, Wells 
Fargo, JPMorgan Chase, Citigroup and Ally Financial - agreed 
to a $25 billion settlement with the state and federal 
government after a sixteen-month probe into their mortgage 
activities. 

Notwithstanding, the risk to management of personal fines, 
imprisonment or, at the very least, industry censure remains, 
and is a personal pain point for the C-level executive. This is 
also why paid-for directorships are being passed over. The risk 
is not worth the money, especially if the actions of staffers, 
which is out of their control, can affect their freedom. 

Each financial institution is an island of activity, with each 
island repeating and replicating GRC activity. On average, the 
cost to the major financial institutions can be in excess of 
$1 billion annually. 

There is an opportunity to aggregate this risk and provide GRC 
as a service. This could reduce the operational cost of 
compliance by circa 70% through economies of shared 
services. Further savings could come from mitigated risk 
losses, reductions in fines and censure, and, more 
importantly, protection of brand, reputation and customer 
trust that has a direct impact on stakeholder value. 


Compliance as a service 

• Centralization of internal and external regulatory 
processes and provision as a service to revenue 
generators, service departments and external 
customers 

• Generation of revenue or cost transfers from 
regulatory control 

• Provision of regulatory arbitrage services. 
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No worldwide 
agreements on 
regulatory controls 

Where there is 
confusion, 
there is opportunity for 
profit 


Providing compliance 
and 

business opportunities 


Shortage of skills 


Knowledge archiving 


Special trading opportunities 

Worldwide regulators will not agree on global regulations for 
at least five years. This causes confusion and delays GRC 
implementations. 

This will continue unless a worldwide collapse occurs and 
financial control is moved from sovereign territories to global 
institutions such as the World Bank or the IMF; moves already 
reflected in Greece and Italy with European Central Bank 
interventions. Transaction tax threats are moving institutions 
to more “friendly countries”. 

This means that an opportunity exists for financial institutions 
to perform transactions that are illegal in one sovereign 
territory and legal in another with less-stringent rules. 

• No settlement of anomalous regulation for at least the 
next five years 

• Practices restricted in one jurisdiction may be 
permitted in others 

• Allows markets to work freely (for the time being) 

• Opportunity for competitive advantage and revenue 
generation. 

This arbitrage opportunity is a revenue-generating activity 
that will appeal to the business (trading units) and not 
necessarily to the compliance officers, unless they are able to 
maintain regulatory and risk compliance at the local level. 


Best practices 

A developing shortage in skilled compliance officers makes the 
development of best practices a growing problem. Integrators 
and audit firms are providing subject-matter expertise at 
premiums. 

Be informed represents an opportunity for these businesses to 
archive and distribute knowledge models with best practices 
incorporated into the concept models. In addition, the best 
practices can be context-driven at the role-relationship- 
responsibility level, where they are needed. 

This provides a consistent and repeatable solution to assure 
compliant activity in all aspects of operations. 
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Lack of control unit by 
unit 


Reductions in overhead 
and 

opportunity lead to 
losses 


Manual systems cannot 
keep pace 


Straight-through 
processing facilitates 
more business 
transactions 


Change means delay and 
increased risk 


Rapid change maintains 
business continuity 


The unknown can be 
scary 


Testing the effects of 
regulatory 
change in advance 
promotes planning 


A lack of control by management causes fractured compliance 
functions. Some business units operate better than others. IT 
may or may not be integrated into the mix even though they 
need to be. Islands of responsibility breed “I’m OK” attitudes. 

The argument for cost reductions is based on several factors: 
reduction in the need for specialized services (consultants), 
reduction in the cost of IT implementation, speed of 
application, improved client services (revenue generation), 
reduced risk, reduced or eliminated cost of non-compliance. 

Continuing delays in checking for compliant behavior and 
manual systems mean there is a real risk of non-compliant 
transactions and losses of opportunity. 

With real-time compliance processing, STP is facilitated with 
only exceptions surfacing for human interaction. In addition, 
forensic audit can be eliminated over time. 

• Change rules “in flight” 

• Prepare for and model future rule implementations for 
execution on the day of the required change 

• Model impact of rules on processes, systems 
and business practices. 

When a change in regulation occurs, the delay in its 
implementation exposes the business to fines, censure and 
management risk, not to mention the potential loss of 
revenue. 

The ability to change rules “in flight” means that when 
exceptions are surfaced, they can be changed within minutes, 
as opposed to days, months or years. This represents a 
seachange in the ability to be compliant. 

Predicting the impact of change for any organization is 
difficult and arcane at best. What effects regulatory change 
will have on management, customers, revenue and operations 
is a risk factor that has unpredictable consequences. 

The time-based rule implementation allows all future rule 
implementation to be carried out on the scheduled date. 
Furthermore, the effects of rule changes can be modeled, and 
prices adjusted in line with risk. 

In other words, the enterprise can know the cost of 
compliance in financial, human and operational terms in 
advance of the change. 
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IT has its own problems 


The business suffers 


Even the IT systems can 
benefit from models 


“Really, officer? I 
didn’t know that was a 
non-compliant activity” 


“Which rule would you 
like me to use”? 


Regulatory choices can 
be made 


IT compliance integrated with business compliance 

IT managers are subject to numerous regulatory controls, such 
as data privacy, security, data transport and recovery. IT 
managers are under increasing pressure to assure that current 
systems are compliant, and are reluctant to add new 
technologies in the face of such pressures. 

The integration of these pressures with business management 
pressures increases risk on both sides. Operations are 
stultified by fear. Above-the-line processing satisfies all 
operational requirements: 

• Above-the-line processing does not interfere with IT 
systems and compliance processes 

• Real-time journaling of all systems and data accessed 
across multiple networks 

• Real-time assurance of appropriate geographic system 
traversals. 

The same integrated inference mechanisms that provide 
business rule compliance can provide integrated IT controls. 
Real-time journaling of all systems and data accessed by 
users, applications and subsystems can be monitored and 
controlled by model-based applications. 

With global compliance, rules concerning which networks are 
traversed by data can also be modeled by Be Informed 
systems. 


Assuring compliance 

One of the pain points for compliance officers and 
management is the risk of being non-compliant without 
knowing it, or, being compliant with one rule that conflicts 
with another. 

The inference engine of the Be Informed environment 
together with the models can surface anomalous rules. This is 
especially important in global activities where laws such as 
Dodd-Frank may be in conflict with Basel, the UK FSA, and any 
other local jurisdiction. 

Once surfaced, a rule choice can be made. It may be based on 
risk choices, transactional activity or opportunity. Whatever 
the choice, the justification can be produced for regulatory 
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They are not just 
moving the goal posts... 
they are moving the 
playing field 


Sorry about losing the 
$2 billion 


Management are 
expected to know 
everything 


audit together with the choice definitions. Such choices can 
be institutionalized and allow straight-through processing. 


International compliance 

The lack of clarity when it comes to regulations also puts 
businesses at risk when trying to ascertain which rules and/or 
regulations to apply. International transactions are especially 
difficult. 

Choosing which regulation is especially important when trying 
to understand which body is regulating the activity. 

• International regulatory controls 
. UK FSA, PRA, FCA or all three? 

• International compliance with FACTA by IRS 

• FSB has new authority through IMF and G20. 

Knowing or choosing regulations on a global basis can have 
direct bottom-line implications. 

Assessing compliance functions and surfacing anomalies is also 
a key capability of Be Informed. 

Management can be in control of regulatory 
choice. 

• Regulatory compliance or internal compliance 

• Local, trans-national, or global compliance 

• Improvement of investigative functions 

• Rapid response to new legislation or approved 
regulatory imposition. 


Governance - the G in GRC 

No director or management executive can be expected to 
understand every regulation and policy that drives governance 
requirements. Notwithstanding, they are held accountable and 
liable to censure, sanctions, fines and even imprisonment. 

Be Informed can assure management that all operators 
utilizing the Be Informed implemented models are not only 
compliant, but also able to prove it. The addition of real-time 
capability also allows management to predict problems before 
they become crises. 
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Run the business, not 
the rules 


Watching the business, 
not your back 


What’s next? 


In other words, they are not only operating correctly, but are 
known to be operating correctly. This can reduce the impact 
of sudden regulatory audits or “gotcha” thinking. This means 
that the business executives can concentrate on running their 
business to drive revenues and stakeholder value. 

• Improved supervision and oversight for management 
executives with real-time regulatory oversight 
capability 

• All outputs of corporate governance are coherent and 
consistent with full reasoning chain; here’s what I did 
and why 

• World-view best practices modeled and useable by 
mere mortals 

• Documented qualitative and quantitative processes - 
complete histories of all activity. 

A key requirement of senior executives is to assure compliance 
at all levels within the enterprise. 


Executive and board awareness 

A key problem at the board-of-directors level is that they are 
responsible both professionally and personally for the 
activities of their regulated businesses. Giving them the tools 
to assure compliance allows them to focus on growing 
stakeholder value while avoiding the pitfalls of unknown and 
complex rules. 

“Line of sight” management is not limited to regulatory 
controls. Bl can provide full business 
management reporting on customers, risk profiles (both 
internal and external) and human resource activity at the 
business and IT levels. Management reporting can also include 
all IT services to assure optimal operational support for the 
business units. 


Seeing beyond the horizon 

Management cannot predict the systemic effects of regulation 
on their business. Nor can they predict the expanding 
perimeter of regulatory incursion into their business. They are 
already being asked to prepare for an unpredictable future. 
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An expected paradigm 
ahead of its time 


I know what a rules 
engine is 


Value what was good in 
the past, and embrace 
what the future holds 


How fast can we adapt? What are the consequences for 
operations, revenues, stakeholder value if we can’t? 

• Ready to adapt to increasing regulatory perimeter 
(credit agencies - hedge funds) 

• What’s next? Shadow banking, payments and clearing? 

• Tracking of FSB regulatory regimes; modeling and 
preparation 

• Recovery and restitution planning and stress testing 

• Real-time systemic risk analytics 

• Closer regulator cooperation. 


Technology impact 

Concept computing uses semantics and executable models tied 
to inference engines to deliver rapid processing capability 
associated with rules. 

• Meaning derives from networks of relationships 
between concepts 

• Modeled separately from IT systems. 

Concept modeling is a new way of creating support systems 
that does not use traditional computing analysis and design 
models. 


A paradigm shift for IT executives 

Much more than and different from a rule engine. 

• The model is the design, is the documentation is the 
application, is the user interface 

• The model is the application: at every stage of 
development, the model executes “Growing Live” 

• The model self-documents, and explains decisions and 
actions 

• Change devices, channels, or the models, and the 
system behavior changes automatically. 

No old ideas: flow-charting, orthogonal design, coding and 
modeling all cost time, effort and money. 

The Bl “be structured” technique of implementation assures 
rapid implementation without the wasted efforts. This 
translates into bottom-line savings and top-line productivity. 

• Modeling allows mere mortals to produce functional 
models that work 
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• Business-specific, not code-dependent 

• Multiple user-friendly modes of development: 
graphical, forms, spreadsheets and controlled natural 
language 

• Natural expressiveness that is machine-computable. 

IT becomes a service Implementation of Be Informed concept models can be 
function as it was designed and developed by subject-matter experts. There is 
always expected to be p,Q fQ,- |j professionals to provide anything other than 

services. This moves the productivity to the business units, 
without them having to operate their own infrastructure. 


Smaller is better 


Sometimes a small group 
of special forces can do 
more than a brigade of 
soldiers 


Smaller functional teams 
Development is two to ten times faster 
Reduced risk 

Integration with existing systems is non-invasive 
Development is iterative and executable in all phases 
Deployment is incremental. 


Unlike conventional analysis, design, programming and 
implementation strategies, concept modeling allows faster 
access to productive processes through gradual 
implementation. 


Whoops, let’s start over This reduces the risk found in conventional systems that 

commonly occurs when a “whoops” moment happens. Some 
dependency was overlooked and the system needs a complete 
and systemic redesign. 

• Operating costs 30% less 

• Cost of ownership 60% less, and time to make changes 
and adapt 90% less 

• Changing models is easier than rewriting code and far 
less costly to manage and maintain. 


The results speak for themselves. Be Informed customers 
report reductions of 30, 60 and 90% in operating costs, total 
cost of ownership, and most importantly, the cost of change, 
respectively. 
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